Use different controls for each stage. Experimentation can be limited and sandboxed, but production AI use should require documented ownership, approved data access, audit logging, and scheduled review. The key test is whether the workflow can affect a customer, a record, or a business decision without a human control point.
Why This Matters for Security Teams
Experimentation and production often run on the same cloud accounts, secrets stores, and data sets, which turns a temporary test into an untracked production dependency. That is why organisations need a hard separation between exploratory use and governed use, not just a policy statement. NHI governance becomes material when a model, agent, or script can reach customer data, systems of record, or decision workflows without a control point. The risk pattern is visible in NHIMG research such as the Top 10 NHI Issues and the Regulatory and Audit Perspectives section of the Ultimate Guide to NHIs, where ownership and traceability are recurring failure points.
For security teams, the real problem is not whether AI is being tested. The problem is whether a test environment can quietly inherit production access, production prompts, or production outputs. That creates audit ambiguity, weakens incident containment, and makes it hard to prove which behaviour was approved and which was incidental. Guidance from the NIST Cybersecurity Framework 2.0 supports clear governance boundaries, but the operational test is simpler: if the workflow can change a record, trigger an action, or influence a decision, it should no longer be treated as experimentation. In practice, many security teams discover that “pilot” systems already have production reach only after a sensitive action has been taken.
How It Works in Practice
Separation works best when experimentation and production are treated as different trust zones with different identities, data scopes, and approval paths. Experimental environments should be deliberately constrained: synthetic or masked data, no standing access to production systems, tightly scoped secrets, and time-bounded credentials that expire when the test ends. Production use, by contrast, should require a named owner, approved data access, logging, and scheduled review. Current guidance suggests that the boundary should be enforced technically, not just through policy language.
Practitioners usually combine four controls:
- Distinct identities for test and production workloads, so an experimental agent cannot reuse the same token or service account.
- Just-in-time access for production tasks, with short-lived credentials and explicit revocation after completion.
- Policy checks at request time, so high-risk actions are evaluated against context rather than approved once and inherited forever.
- Logging that captures prompt, tool use, data access, and human approval where a business effect is possible.
This distinction is especially important for AI systems that can chain tools or move laterally across APIs. The DeepSeek breach and the NHIMG article LLMjacking: How Attackers Hijack AI Using Compromised NHIs show how quickly exposed credentials and weak separation become an access problem, not just a model-risk issue. This aligns with identity-first guidance in the NIST Cybersecurity Framework 2.0, especially where access and recovery need to be independently verifiable. These controls tend to break down when experimentation is run inside the same cloud subscription, secrets manager, and data lake as production, because inherited trust makes separation hard to prove.
Common Variations and Edge Cases
Tighter separation often increases delivery friction, requiring organisations to balance speed of experimentation against the overhead of approvals, identity provisioning, and data handling. That tradeoff is real, especially when teams want rapid iteration on prompts, agents, or retrieval pipelines. Best practice is evolving, but there is no universal standard for how much production-like access a sandbox should have. The safer pattern is to grant realism in the test environment through synthetic data and simulated services, not through direct production connections.
Edge cases usually appear when a proof of concept becomes a pilot before governance has caught up. Shared infrastructure, copied secrets, and ad hoc exceptions are the main failure modes. Another common exception is read-only access, which still matters if the system can exfiltrate sensitive data or use it to shape downstream decisions. NHIMG’s Lifecycle Processes for Managing NHIs is useful here because lifecycle control is what prevents temporary experimentation from becoming permanent access. For production ai, documented ownership and periodic review are non-negotiable; for experimentation, the goal is to make failure cheap, contained, and non-reusable. In practice, teams get this wrong when a test account survives long enough to become the de facto production identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Separating test and prod identities reduces credential reuse and standing access. |
| CSA MAESTRO | MAESTRO addresses governance boundaries and runtime controls for agentic systems. | |
| NIST AI RMF | AI RMF focuses on governing risk when AI can affect business outcomes. |
Use distinct short-lived identities for experiments and revoke any credential not tied to production approval.
Related resources from NHI Mgmt Group
- How should organisations measure trust across AI use cases, agents, and models?
- When should organisations block a shared AI agent from production use?
- When should organisations block a generative AI tool from production use?
- Should organisations delay AI agent production use until NHI controls improve?
