Securing AI means protecting the AI system itself, including its data, prompts, tools, permissions, and outputs. For identity teams, this becomes a governance problem when the system can access secrets, call APIs, or act with delegated authority.
Expanded Definition
Securing AI is the practice of protecting the AI system as an operational asset, not just the model artifact. That includes the prompts it receives, the data it can read, the tools it can call, the secrets it can access, and the outputs it can produce. In the identity and access domain, the term becomes especially important once an AI agent is allowed to act with delegated authority or interact with production systems.
Definitions vary across vendors, but the practical boundary is clear: securing AI is broader than model hardening and narrower than enterprise security in general. It focuses on attack paths unique to AI runtime behavior, including prompt injection, tool abuse, data leakage through context windows, and over-permissioned agent identities. This is distinct from traditional application security because the system may generate actions dynamically rather than follow fixed code paths. The NIST Cybersecurity Framework 2.0 is useful here as a governance baseline, but it does not by itself resolve AI-specific control placement.
For NHI teams, the key question is whether the AI can reach secrets, tokens, or privileged APIs without sufficient guardrails. The most common misapplication is treating model training security as equivalent to runtime AI security, which occurs when organisations protect the model but leave tools, prompts, and delegated credentials exposed.
Examples and Use Cases
Implementing securing AI rigorously often introduces latency, workflow friction, and tighter approval boundaries, requiring organisations to weigh faster agent execution against stronger control over what the system can see and do.
- An AI coding assistant is blocked from reading production API keys, but can still suggest code by using read-only context from approved repositories.
- An agentic support bot is allowed to draft account changes, yet every privileged action is routed through just-in-time approval and audit logging.
- A document analysis model is prevented from retaining sensitive excerpts in prompts or logs, reducing the chance of secret reconstruction from historical interactions.
- A security operations agent can query ticketing and detection systems, but its service account is constrained to least privilege and monitored as an NHI.
- After an exposure event, teams use the LLMjacking research to map how compromised credentials can turn AI access into an attacker-controlled interface, then compare those findings with the access scoping guidance in the NIST Cybersecurity Framework 2.0.
In practice, securing AI also includes restricting what the system can inherit from connected tools, since an agent with broad connector access can become a bridge into email, storage, or SaaS administration. The DeepSeek breach illustrates how AI-adjacent exposure can combine secret leakage, data exposure, and operational trust collapse in one incident, which is why runtime containment matters as much as model quality. Where AI touches identity workflows, permissions must be designed for the machine actor, not assumed from the human user behind it.
Why It Matters in NHI Security
Securing AI matters because AI systems increasingly behave like privileged service identities. If prompts, embeddings, connectors, or tool permissions are not controlled, the AI can become a path to secrets exfiltration, unauthorized API calls, and data poisoning. That creates a governance problem for NHI programs, since the AI may not be a user in the human sense, yet still exercises authority that must be bounded, logged, and reviewed.
NHIMG research shows how quickly credential exposure becomes operationally dangerous: when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, as documented in LLMjacking: How Attackers Hijack AI Using Compromised NHIs. The same article also highlights the DeepSeek breach as a reminder that AI systems can expose both secrets and sensitive records when controls fail.
For practitioners, the lesson is that AI security is no longer just about content safety or prompt quality. It is about ensuring that the AI’s identity, permissions, and runtime constraints are treated as first-class security controls. Organisations typically encounter the consequences only after an agent has already called a sensitive API or leaked data into an external workflow, at which point securing AI becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and over-privileged NHI paths that AI agents can inherit. |
| OWASP Agentic AI Top 10 | Defines agent risks such as prompt injection, tool abuse, and unsafe action execution. | |
| NIST CSF 2.0 | PR.AC-4 | Maps to access control and least-privilege governance for AI-connected systems. |
Apply least privilege to AI identities and review entitlements on a recurring schedule.
Related resources from NHI Mgmt Group
- Why is identity such a critical factor in securing AI agent systems?
- What is the difference between securing LLMs and securing AI agents?
- What is the difference between securing chatbots and securing AI agents?
- Should organisations prioritize securing machine identities before expanding agentic AI use?
