An AI intermediary is a system that sits between a user and internal resources and can select tools, call APIs, and trigger actions on the user’s behalf. That placement makes it an identity control problem, because the intermediary can expand the user’s effective reach unless tightly governed.
Expanded Definition
An AI intermediary is more than a chat interface. It is an execution layer that can translate a user’s intent into tool use, API calls, retrieval, and state-changing actions across internal systems. In NHI terms, that means the intermediary is handling delegated authority, not just generating text.
Definitions vary across vendors, but the security boundary usually centers on whether the system can act, persist context, or chain tools without direct human confirmation. That distinction matters because the intermediary may inherit privileges from a user, a service account, or both. When governed well, it behaves like a constrained broker. When governed poorly, it becomes a privilege amplifier that can reach far beyond the user’s original intent. The control challenge aligns with principles in the NIST Cybersecurity Framework 2.0, especially around access, governance, and monitoring.
The most common misapplication is treating the AI intermediary as a harmless user interface, which occurs when teams ignore its tool permissions, token scope, and ability to trigger downstream automation.
Examples and Use Cases
Implementing an AI intermediary rigorously often introduces workflow friction, requiring organisations to weigh faster task completion against tighter approval and logging requirements.
- A customer support agent asks an assistant to issue a refund, and the intermediary calls the billing API only after verifying policy and scope.
- A developer uses an internal copilot to open a pull request, but the intermediary is limited to read-only repository access unless a separate approval is granted.
- An operations team connects an assistant to ticketing, messaging, and incident tools, and the intermediary routes actions through a signed identity rather than a shared bot token.
- A finance workflow lets an intermediary prepare payment instructions, while human approval remains mandatory before execution.
- Threat researchers studying compromised AI access, including the patterns documented in LLMjacking: How Attackers Hijack AI Using Compromised NHIs and the DeepSeek breach, use the term to describe systems that can be induced to act with stolen or abused credentials.
- Implementation patterns often draw from identity guidance such as the NIST Cybersecurity Framework 2.0 and from agent security practices that separate planning from execution.
Why It Matters in NHI Security
An AI intermediary becomes a security issue because it can concentrate risk from credentials, tokens, delegated scopes, and ambient trust into a single execution path. If that path is compromised, the attacker does not need to break every downstream system. They only need to persuade or hijack the intermediary to use the authority already available. That is why NHI teams treat these systems as identities with behavior, not just software features.
NHI Management Group research shows how quickly exposed credentials can be abused, with AWS keys observed being targeted in as little as 9 minutes and on average 17 minutes after exposure in the LLMjacking research. The same operational pattern appears when an intermediary is over-scoped, insufficiently logged, or allowed to retain context across sessions. The State of Secrets in AppSec findings also underline how fragile secrets governance can be when controls are fragmented.
Organisations typically encounter the consequences only after a prompt injection, token theft, or unauthorized action reveals that the intermediary had broader reach than intended, at which point AI intermediary governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | AI intermediaries are NHI-like actors that can overreach through delegated tool and API access. |
| OWASP Agentic AI Top 10 | AGENT-03 | Agentic controls address tool use, autonomy, and unsafe action execution by AI systems. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access governance applies when an intermediary acts on behalf of users. |
Inventory intermediary identities, bound their scopes, and review every action path for privilege amplification.
