An AI security approach that extends protection beyond code into prompts, retrieval pipelines, orchestration, and runtime policy. It recognizes that for AI systems, the most important security controls often sit above the application layer where context is assembled and consumed.
Expanded Definition
Shift Up is the practice of moving security controls higher in the AI stack, so protection applies not only to code and infrastructure but also to prompts, retrieval pipelines, orchestration logic, tool calls, and runtime policy. In NHI and agentic AI environments, this matters because the most consequential trust decisions often happen after the application starts, when context is assembled and actions are executed.
The term is still evolving, and definitions vary across vendors. Some teams use it to describe prompt-layer safeguards; others include retrieval-augmented generation, policy engines, and agent supervision in the same control plane. A useful reference point is the NIST Cybersecurity Framework 2.0, which emphasizes governance, protection, detection, and response across the full system lifecycle. For AI systems, Shift Up is best understood as a control-placement strategy that follows the risk, not just the code path.
The most common misapplication is treating model security as a wrapper around the application, which occurs when organisations secure the front end while leaving prompts, connectors, and tool permissions unmanaged.
Examples and Use Cases
Implementing Shift Up rigorously often introduces additional policy and review overhead, requiring organisations to weigh faster AI delivery against tighter control over context, retrieval, and execution.
- A customer support agent can query a knowledge base only after prompt filtering and retrieval allow-list checks block unsafe context from reaching the model.
- An internal copilot can be limited by runtime policy so it may draft responses but cannot send emails, open tickets, or trigger workflows without explicit approval.
- A finance assistant can use tool calls only when the orchestration layer verifies the request matches an approved business purpose and current role scope.
- An engineering assistant can be blocked from exposing secrets because retrieval pipelines are configured to exclude repositories that contain sensitive credentials and token material.
- An identity operations agent can be monitored through the full request path, aligning prompt handling and execution rules with the governance themes described in the Ultimate Guide to NHIs.
In practice, Shift Up also supports stronger classification of AI trust boundaries, which aligns with how NIST Cybersecurity Framework 2.0 treats governance and control as continuous activities rather than one-time implementation steps.
Why It Matters in NHI Security
Shift Up matters because NHI risk frequently appears at the orchestration and execution layers, where service accounts, API keys, tokens, and agent permissions are actually consumed. NHIMG research shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations, and that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. Those figures underscore a simple operational reality: if controls stop at the application perimeter, the most dangerous pathways remain open.
For NHI governance, Shift Up helps reduce blast radius by placing policy where decisions happen, including context assembly, retrieval authorization, and runtime action gating. This is especially important for agentic systems that can call tools, chain tasks, or inherit privilege from workflows. It also supports stronger alignment with the control expectations expressed in the Ultimate Guide to NHIs, where visibility, lifecycle discipline, and privilege reduction are foundational.
Organisations typically encounter the need for Shift Up only after an agent leaks data, misroutes a tool call, or executes an unauthorised action, at which point the concept becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Covers prompt, tool, and orchestration risks in agentic AI systems. |
| NIST CSF 2.0 | GV.OC-01 | Frames security governance as part of system context and operational objectives. |
| NIST AI RMF | Supports managing AI risks across design, deployment, and ongoing operation. |
Move controls into prompts, tool routing, and runtime policy before agents can act.
