They treat the product as the whole problem and miss the exposed runtime context. If the system can reach privileged secrets or internal networks, then the remediation scope includes access paths, credential rotation, and asset exposure, not just the version upgrade.
Why This Matters for Security Teams
AI application platforms are often patched as if they were ordinary software packages, but the real risk sits in the runtime around the platform: secrets, service accounts, tool connectors, and network reach. A version upgrade may close one bug while leaving the agent or application still able to call internal APIs, read cached credentials, or pivot into production systems. That is why patching must be treated as exposure reduction, not just software maintenance.
This is especially important when platform components can access high-value secrets or enterprise data paths. NHIMG research on The State of Secrets in AppSec shows leaked secrets can take an average of 27 days to remediate, even though many organisations believe their secrets management is strong. That gap matters because AI platforms frequently use short-lived build-time controls, but keep long-lived runtime credentials. Current guidance from NIST Cybersecurity Framework 2.0 supports treating this as an asset, identity, and exposure problem, not only a patching problem.
Security teams usually discover the difference after an exploit chain uses the patched platform as a foothold into unpatched access paths, rather than during the patch window itself.
How It Works in Practice
Effective remediation starts with a full inventory of what the AI application platform can touch. That includes model endpoints, plugin or tool integrations, orchestration layers, message queues, secrets stores, CI/CD systems, and internal service networks. If the platform uses a runtime identity, that identity should be reviewed alongside the patch, because the new version may preserve the same reach unless access is deliberately reduced.
Practitioners should think in terms of blast radius. If a platform can retrieve secrets, then rotating those secrets is part of patching. If it can invoke internal tools, then those integrations need reauthorization. If it caches tokens or API keys, then the cache, the associated permissions, and the token TTL all matter. NHIMG’s Ultimate Guide to NHIs – The NHI Market is useful here because it frames non-human access as a governed identity problem rather than a passive application setting.
- Patch the platform and reassess what secrets or tokens it can still reach.
- Rotate credentials when the platform had access to privileged data or internal systems.
- Revoke unused integrations, callbacks, and connector scopes before restoring service.
- Verify network segmentation, outbound egress, and service-to-service permissions after upgrade.
- Confirm that logging and alerting cover token use, secret access, and unusual tool calls.
For controls and architecture, security teams should align patching with NIST Cybersecurity Framework 2.0 and evaluate whether platform access should be constrained through policy, not just versioning. Where AI applications use autonomous tool execution, the best practice is evolving toward least-privilege runtime identity and just-in-time access. These controls tend to break down when patching is done through a shared admin account because the same credential can survive the upgrade and preserve risky access paths.
Common Variations and Edge Cases
Tighter patching and rotation often increase operational overhead, requiring organisations to balance speed of remediation against service continuity and integration complexity. That tradeoff becomes sharper in AI platforms with frequent model updates, ephemeral environments, and multiple downstream tools.
There is no universal standard for this yet, but current guidance suggests treating the following cases differently:
- Public-facing AI apps: patch quickly, then rotate exposed credentials even if no compromise is confirmed.
- Internal copilots with broad tool access: prioritise access reduction first, because the main risk is lateral movement.
- Multi-tenant platforms: isolate tenant secrets and verify that one tenant’s patch does not reset protections for others.
- Self-hosted model stacks: include container images, orchestration policy, and service account scope in the patch plan.
Where teams go wrong is assuming that a clean vulnerability scan means the platform is safe to reconnect. If the application can still reach production secrets, internal APIs, or automation tooling, the issue is unresolved. The DeepSeek breach is a reminder that exposed data paths and embedded secrets can turn a platform flaw into a much broader incident. In practice, patching breaks down most often in environments with shared credentials, flat networks, and no clear owner for runtime identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Patch scope must include credential rotation and secret exposure remediation. |
| NIST CSF 2.0 | PR.AC-4 | Platform access must be reduced when patching exposed runtime paths. |
| NIST AI RMF | AI RMF supports managing runtime risk, not only software defects. |
Inventory NHI secrets tied to the platform and rotate or revoke them during remediation.