The assistant can make legitimate-looking requests that exceed the user’s intended scope, especially when it can retrieve data, call APIs, or generate responses across sensitive systems. Without action-level policy checks, authentication becomes a weak proxy for authorisation. Teams lose the ability to prove that each AI-driven action stayed inside the approved boundary.
Why This Matters for Security Teams
Allowing an AI assistant to act on behalf of a user without policy checks turns authentication into a poor proxy for authorisation. The risky part is not just that the assistant has access, but that it can compose legitimate-looking actions across systems the user never intended to touch. That creates blind spots in approval, logging, and accountability, especially when actions span data retrieval, ticketing, code execution, or API calls.
This is why NHI governance has to consider both identity and action scope, not just login success. NHIMG’s Top 10 NHI Issues and the broader lifecycle guidance in the Ultimate Guide to NHIs both point to the same operational gap: standing credentials alone do not prove intent. NIST’s Cybersecurity Framework 2.0 reinforces the need for governed access decisions, but AI assistants introduce runtime behaviour that traditional access reviews do not capture. In practice, many security teams discover this only after an assistant has already touched a sensitive workflow or moved data outside the expected boundary.
How It Works in Practice
The failure mode is simple: the assistant inherits a user session, then uses that session to perform actions that were never explicitly approved at the action level. If the control plane only verifies that the user is authenticated, every downstream request can look legitimate, even when the assistant chains tools in ways the human would not have chosen. For that reason, current guidance suggests moving from identity-only checks to context-aware authorisation at runtime.
Practically, that means three layers of control:
- Define policy for the action, not just the account. The policy should state what the assistant may read, modify, export, or trigger.
- Evaluate the request at execution time, using context such as data sensitivity, destination system, task purpose, and whether the action is reversible.
- Issue short-lived, task-bound credentials where possible, then revoke them as soon as the task completes.
This is where workload identity becomes important. Standards such as SPIFFE/SPIRE and OIDC-based workload tokens help prove what the assistant is, while policy engines such as OPA or Cedar evaluate what it is trying to do. That pairing is more defensible than long-lived static secrets because the assistant’s behaviour is dynamic and often non-deterministic. The DeepSeek breach is a reminder that exposed or overbroad secrets can rapidly become a systemic exposure, not a single-account problem. OWASP’s agentic guidance also aligns with this approach because autonomous systems need runtime checks, not pre-approved trust. These controls tend to break down when an assistant can reach multiple SaaS platforms with inherited SSO tokens, because the policy boundary becomes fragmented across systems that do not share the same enforcement point.
Common Variations and Edge Cases
Tighter action-level control often increases engineering and user-experience overhead, requiring organisations to balance safety against workflow friction. That tradeoff is real, especially in environments where assistants must operate quickly or across many business applications.
There is no universal standard for this yet, so best practice is evolving. Some teams use step-up approval only for high-risk actions, while others require policy checks on every tool call. The right choice depends on how much damage a single mistaken action could cause. For example, read-only assistants may tolerate broader access than assistants that can approve payments, change records, or send externally visible messages.
Edge cases also matter. An assistant acting inside a single app may seem contained, but the risk increases when it can chain actions across email, storage, code repositories, and workflow automation. That is where the distinction between authentication and authorisation matters most. NIST’s identity and governance guidance helps frame the control objective, but agentic systems still need explicit runtime policy. In the absence of that, an approved user session can quietly become an unauditable delegation path. Teams should also watch for hidden privilege expansion through delegated tokens, cached credentials, or service accounts that outlive the task. The State of Secrets in AppSec research shows how fragmented secrets management compounds this problem, and the same pattern applies when assistants inherit broad, persistent access. Current guidance suggests treating any assistant that can initiate side effects as a workload that needs its own policy boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Covers prompt and tool abuse when assistants act beyond intended scope. |
| CSA MAESTRO | GOVERN | Addresses governance for autonomous agents and delegated action scope. |
| NIST AI RMF | AI RMF applies to accountability and risk controls for autonomous AI behaviour. |
Gate every tool call with policy checks and limit assistant actions to approved tasks.
Related resources from NHI Mgmt Group
- How should security teams use AI in secret scanning without creating new blind spots?
- How should security teams monitor AI agent activity without disrupting developers?
- What breaks when AI tools can trigger identity actions without policy guardrails?
- What breaks when autonomous shopping agents are allowed to act without strong governance?
