Subscribe to the Non-Human & AI Identity Journal

How should security teams govern AI assistants that can make infrastructure changes?

Treat the assistant as a privileged non-human identity with narrowly scoped write permissions, explicit ownership, and mandatory approval for every state-changing action. The approval step must be enforced in the execution path, not just described in policy. Teams should also log the full request, proposed plan, and resulting artefacts for auditability.

Why This Matters for Security Teams

AI assistants that can change infrastructure are not just chat interfaces with convenient tooling. Once they can create resources, modify policies, or trigger deployments, they become privileged non-human identities that need the same discipline applied to service accounts, pipelines, and admin automation. The difference is that an assistant’s behavior is goal-driven and variable, so static role assignments often grant more access than the task truly needs.

This is why the control problem is closer to non-human identity governance than to conventional help desk automation. The security team has to define who owns the assistant, what changes it may attempt, and which actions must stop for human approval before execution. Guidance in NIST Cybersecurity Framework 2.0 and NHIMG’s Top 10 NHI Issues both point to the same operational reality: identity, authorization, and auditability must be explicit before automation is allowed to act.

In practice, many security teams discover over-permissioned assistants only after a failed change, an accidental outage, or a prompt-injection path has already exercised write access.

How It Works in Practice

Governance should start with workload identity, not just application login. The assistant should authenticate as a distinct NHI, with cryptographic proof of what it is and what environment it is operating in. For agentic systems, current guidance suggests short-lived credentials, runtime policy evaluation, and an approval gate enforced inside the execution path, not as a workflow note that humans can bypass. That is consistent with the lifecycle discipline described in NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.

A practical control pattern looks like this:

  • Issue a narrowly scoped identity to the assistant for one task, one environment, and one time window.
  • Use policy-as-code to decide whether a proposed infrastructure change is allowed at request time.
  • Require human approval for any state-changing action that crosses a defined risk threshold.
  • Log the prompt, the tool call, the proposed plan, the approval record, and the resulting artefacts.
  • Revoke secrets and tokens as soon as the task completes.

This is especially important because AI assistants can chain tools in ways that are not obvious during design review. Once an assistant can read state, generate a plan, and execute changes, it may discover alternate routes around intended guardrails unless the authorization decision is evaluated on the exact action being attempted. The audit perspective in NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because it frames evidence collection as an operational control, not a paperwork exercise. These controls tend to break down when infrastructure is mutated through multiple indirect tool hops, because the final state change is detached from the original user request.

Common Variations and Edge Cases

Tighter approval controls often slow down delivery, so teams have to balance change velocity against blast-radius reduction. There is no universal standard for which actions require mandatory approval, but best practice is evolving toward tiered thresholds based on environment sensitivity, change scope, and rollback risk.

One common edge case is read-only assistants that later gain write capability through new tool integrations. Another is delegated operations in multi-agent workflows, where one agent drafts a plan and a second agent executes it. Those handoffs can hide privilege escalation if the execution identity is broader than the planning identity. NHIMG’s research on the DeepSeek breach shows how exposed credentials and data can combine into a much larger security problem once AI systems touch sensitive back-end assets.

Teams should also watch for emergency break-glass access, because temporary exceptions tend to become permanent unless they are time-boxed and reviewed. The right operating model is a narrow default, explicit exception handling, and continuous review of every assistant that can alter infrastructure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Addresses over-permissioned autonomous agents and unsafe tool execution.
CSA MAESTRO GOV-02 Covers governance and approval for agentic actions that affect production systems.
NIST AI RMF Supports governance, accountability, and ongoing measurement for AI-assisted decision making.

Limit agent tools and require runtime checks before any infrastructure-changing action.