Because adoption expands the control surface. More users, more prompts, more data sources, and more downstream actions create more opportunities for overbroad permissions, poor logging, and shadow AI. Security teams need entitlement review and monitoring to keep growth from turning into unmanaged access.
Why This Matters for Security Teams
GenAI raises risk because it turns a bounded application into a growth engine for identity sprawl. As adoption expands, security teams are no longer protecting a single model endpoint. They are governing prompts, connectors, retrieval sources, plugins, agent workflows, and the credentials those components can use. That creates a wider path for privilege creep, silent data exposure, and actions that happen outside normal review cycles.
This is why guidance in NIST AI 600-1 GenAI Profile and NIST Cybersecurity Framework 2.0 emphasises governance, access control, and monitoring rather than model performance alone. NHIMG research shows the access problem clearly: the 2026 Infrastructure Identity Survey found that 70% of organisations grant AI systems more access than they would give a human employee doing the same job.
That mismatch matters because GenAI systems often look harmless at the pilot stage, then quietly accumulate connectors, data reach, and operational authority as usage grows. In practice, many security teams encounter over-privileged AI only after a connector, workflow, or exposed secret has already widened the blast radius.
How It Works in Practice
The practical risk increases in layers. First, more users mean more prompts, which increases the chance that sensitive data is entered, copied, or reused in the wrong place. Second, more data sources mean the model can surface content from systems that were never designed for broad access. Third, more downstream actions mean the GenAI system is not just answering questions. It may create tickets, trigger scripts, call APIs, or alter infrastructure.
That is where static access models break down. A role-based entitlement set is usually built for predictable human workflows, but GenAI and agentic systems are often goal-driven and dynamic. Current guidance suggests using intent-based authorisation and policy evaluation at request time so the system can decide whether a specific action is allowed in the current context. For that reason, identity primitives matter: workload identity, short-lived credentials, and ephemeral secrets are safer than long-lived static credentials.
- Use OWASP NHI Top 10 to map where tool use, memory, and connector abuse create new failure modes.
- Use Top 10 NHI Issues to prioritise credential sprawl, overbroad privilege, and weak revocation.
- Apply NIST AI 600-1 GenAI Profile controls for logging, validation, and human oversight where the system can take action.
NHIMG’s DeepSeek breach coverage is a reminder that secrets and exposed data do not need advanced exploitation to become dangerous. Attackers often move fast when credentials surface, and AI workflows make those credentials more reusable across tools. These controls tend to break down when teams connect GenAI to production systems without scoping each action to a specific task, because the model can reuse access in ways the original approver never intended.
Common Variations and Edge Cases
Tighter controls often increase operational overhead, so organisations have to balance speed against containment. That tradeoff is most visible in environments that want autonomous AI but still rely on approval queues, static RBAC, and shared service accounts. Best practice is evolving, but there is no universal standard for this yet. Many teams are moving toward JIT credential provisioning, short TTL secrets, and workload identity because those patterns reduce the window in which an AI system can misuse access.
Edge cases appear when GenAI is used only for drafting or summarisation, because the risk profile is lower than for systems that can execute actions. Even then, retrieval connectors and hidden integrations can still expose sensitive content. The safer boundary is to separate read-only assistance from write-capable workflows, and to treat any model that can call tools as an operational actor rather than a passive application component.
For this reason, governance needs to be continuous, not one-time. Teams should review where the AI can reach, what it can change, and how quickly access is revoked after a task ends. In environments with many plugins, multi-agent chains, or poorly documented automation, the guidance breaks down because no one can reliably predict which action the system will take next.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | NHI-03 | Agentic systems widen access paths and need task-scoped control. |
| CSA MAESTRO | MAESTRO addresses governance for autonomous AI workflows and tool use. | |
| NIST AI RMF | AI RMF fits the governance and monitoring risks created by GenAI growth. |
Use AI RMF to assign ownership, monitor behaviour, and manage AI risk continuously.
