AI routing is the practice of directing prompts or tasks to different models or environments based on risk, cost, purpose, or policy. It is a governance control as much as an optimisation technique because it determines where sensitive content can go and what guardrails apply.
Expanded Definition
AI routing describes the decision layer that sends prompts, tasks, or outputs to a specific model, tenant, toolchain, or execution environment based on policy, sensitivity, cost, latency, or capability. In NHI security, the routing decision is not just an efficiency choice. It determines which credentials, logs, guardrails, and data-handling rules are in play.
Definitions vary across vendors because some products route at the prompt level, while others route only after classification or risk scoring. NHI Management Group treats AI routing as a governance control when it constrains data movement, model exposure, and tool access. That aligns conceptually with the NIST Cybersecurity Framework 2.0, especially where security outcomes depend on access control, data governance, and monitoring. It also becomes relevant when organisations mix public models, private models, and agentic workflows in the same request path.
The most common misapplication is treating routing as a performance optimisation only, which occurs when teams ignore policy filters and send sensitive prompts to the cheapest available model.
Examples and Use Cases
Implementing AI routing rigorously often introduces policy complexity and extra classification overhead, requiring organisations to weigh stronger control over sensitive data against added latency and operational tuning.
- A support assistant routes low-risk billing questions to a low-cost model, but escalates account recovery requests to a hardened environment with stricter logging and approval rules.
- A developer copilot routes public code suggestions normally, while prompts containing secrets or customer identifiers are blocked or redirected to an internal model with tighter retention controls. The leakage risk illustrated in the DeepSeek breach shows why routing decisions matter before content is exposed.
- An agentic workflow routes tool-using tasks only to models approved for function calling, while narrative summarisation tasks remain on a separate path with no external tool access.
- A financial services team routes high-impact decisions to a human-reviewed environment, while routine drafting is handled by a less privileged model pathway to reduce blast radius.
- A security team uses the same routing policy to send regulated data to a private deployment and non-sensitive queries to a public service, maintaining separate audit trails for each.
In practice, AI routing is easiest to justify when it preserves user experience without creating accidental data crossover between environments.
Why It Matters in NHI Security
AI routing matters because it is often the control point where NHI exposure begins. If prompts, connectors, or agent actions are routed into the wrong environment, the organisation can leak secrets, bypass policy, or create unauthorised model access. That risk is especially acute when service accounts, API keys, and delegated tokens are reused across multiple model paths. The DeepSeek breach is a reminder that routing and exposure decisions can become inseparable when sensitive data is already embedded in the workflow.
NHIMG research on LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases. That speed makes routing controls a security boundary, not just an architecture preference. It also means model selection, environment isolation, and secret hygiene must be aligned, because routing can amplify the impact of a compromised NHI if the wrong model path has broader access than intended. Organisations typically encounter the operational need for AI routing only after a prompt leak, key compromise, or unauthorised model call, at which point the routing policy becomes unavoidable to reconstruct and fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | AI routing governs where NHI-backed prompts and tokens are allowed to execute. |
| NIST CSF 2.0 | PR.AC-4 | Routing enforces access boundaries by deciding which systems may process a request. |
| OWASP Agentic AI Top 10 | A2 | Agentic systems need routing controls to restrict tool use and unsafe model escalation. |
Classify and route requests by sensitivity so each NHI uses the least-exposed execution path.
