Organisations should check whether the AI is advisory, delegated, or directly authorised to act. They should also verify the data scope, logging, approval path, and rollback options for each security workflow. If any of those are unclear, the organisation has a governance gap, not just a technical integration issue.
Why This Matters for Security Teams
When AI starts influencing security actions, the risk is no longer just incorrect advice. The risk is that a model, agent, or automation path becomes trusted enough to suppress alerts, open access, or trigger response steps without the same scrutiny applied to a human operator. That makes the real question less about model quality and more about decision authority, data provenance, and recovery controls. Current guidance from the NIST Cybersecurity Framework 2.0 still applies, but organisations must translate it into AI-specific approval boundaries. In NHI terms, this is where insecure secrets, overbroad tokens, and weak logging become operationally dangerous rather than merely sloppy. The pattern is familiar in incidents tied to compromised identities and exposed credentials, as discussed in the state of non-human identity security and the LLMjacking research. In practice, many security teams encounter unsafe AI influence only after an automated decision has already changed access, routing, or containment behaviour.
How It Works in Practice
Organisations should treat AI in security workflows as one of three modes: advisory, delegated, or directly authorised. Advisory systems can recommend actions, but humans approve and execute. Delegated systems may act within bounded policy. Directly authorised systems perform actions on their own, which requires much stronger controls and a clear rollback path. The safest operating model is to define that mode explicitly per workflow, not globally.
Implementation usually breaks into four checks:
- Data scope: what telemetry, tickets, logs, or secrets the AI can read, and whether sensitive fields are masked before retrieval.
- Authority scope: what actions the AI can suggest, queue, or execute, and which actions require human approval.
- Evidence scope: what gets logged, including prompts, tool calls, policy decisions, and the identity used at runtime.
- Recovery scope: how to revoke access, revert a bad action, and preserve forensic evidence after an error.
This is where non-human identity discipline matters. Workflows should use short-lived credentials, strong workload identity, and policy checks at request time rather than static entitlements that assume predictable behaviour. Guidance from the NHI security community aligns with the findings in the state of non-human identity security: weak rotation, poor logging, and over-privilege are persistent failure modes. For runtime authorisation and identity binding, standards such as OWASP and the broader NIST model point toward context-aware decisions rather than pre-approved trust. These controls tend to break down when the AI can chain multiple tools across disconnected environments because each step inherits more privilege than the last.
Common Variations and Edge Cases
Tighter AI control often increases operational friction, requiring organisations to balance response speed against approval overhead. That tradeoff is unavoidable in security operations, especially where teams want automation but still need defensible decisions.
One common edge case is an assistant that starts as advisory and gradually gains tool access through informal exception handling. Current guidance suggests this should be treated as a governance change, not just a feature update. Another edge case is multi-agent or orchestration-heavy environments, where one agent recommends actions and another executes them. In those setups, accountability can blur unless each agent has its own workload identity, policy boundary, and log trail. This is especially important where secrets are passed between services, because a compromised token can turn a “helpful” security assistant into a lateral-movement path.
There is no universal standard for exactly when an AI decision becomes equivalent to a control plane action, so organisations should document thresholds themselves: what data the model may inspect, what thresholds trigger auto-action, and what requires human sign-off. The hardest cases are high-volume environments with weak change control, because emergency exceptions become normal operating practice before anyone notices the boundary has been crossed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AI influence over security actions depends on agent tool-use, authority, and runtime safeguards. | |
| CSA MAESTRO | MAESTRO addresses agent governance, orchestration risk, and control boundaries for AI-driven actions. | |
| NIST AI RMF | AI RMF supports governance, mapping, measurement, and management of AI decision risk. |
Classify each AI workflow by authority level and add approval, logging, and rollback controls before enabling action.
Related resources from NHI Mgmt Group
- What should organisations check before accelerating procurement of AI security controls?
- How can organisations avoid over-trusting AI in security operations?
- When should organisations restrict AI-driven automation in security operations?
- When should organisations trust AI recommendations in security operations?
