A policy decision that determines whether a field, table, or relationship should be visible to machine agents. It separates data intended for copilot use from internal or noisy fields that would confuse inference, waste tokens, or distort answers.
Expanded Definition
AI-exposability is the policy choice that decides which fields, tables, and relationships are appropriate for machine agents to see during retrieval, planning, or tool use. It is not just access control, because the question is not only who can read the data, but whether the data should be surfaced to an agent at all. In practice, AI-exposability sits between data classification, least privilege, and prompt or context engineering, and it helps separate copilot-ready records from internal metadata, stale values, and noisy joins that can distort model output. This concept is still evolving across vendors, so organisations often define it differently across application layers, data platforms, and agent orchestration stacks. The clearest operational anchor is to align it with data minimisation and purpose limitation, as reflected in guidance such as the NIST AI Risk Management Framework. The most common misapplication is treating every accessible field as AI-safe, which occurs when teams expose raw schemas to agents without filtering for sensitivity, relevance, or inference quality.
Examples and Use Cases
Implementing AI-exposability rigorously often introduces a visibility constraint, requiring organisations to weigh answer quality against the risk of leaking irrelevant or sensitive context.
- A customer support agent can see case status and product entitlements, but not internal fraud-review notes or analyst-only escalation flags.
- A finance copilot can read invoice totals and vendor names, while excluding bank routing fields and attachment metadata that are not needed for a summary.
- A developer assistant can inspect API endpoint names and error codes, but not embedded secrets, staging credentials, or abandoned test tables, a lesson echoed in the State of Secrets in AppSec research.
- An operations agent can query service health metrics while excluding raw log payloads that contain personal data or verbose exception traces.
- A knowledge assistant can retrieve approved policy documents, but not draft repositories or relationship edges that reveal internal org structures.
These patterns also show up in real-world compromise analysis, including the DeepSeek breach discussion and the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research, where exposed context and credentials can become attack surface rather than intelligence.
Why It Matters in NHI Security
AI-exposability matters because an agent does not need full database access to cause harm. If the exposed context includes secrets, sensitive relationships, or misleading internal fields, the agent can recommend unsafe actions, reconstruct hidden information, or amplify a compromised NHI into broader access. NHIMG research shows the average time to remediate a leaked secret is 27 days, even while 75% of organisations report strong confidence in their secrets management capabilities, which underscores how quickly AI exposure can outpace human review. That is why exposed context should be treated as an operational control, not a convenience setting. It supports governance by reducing token waste, limiting hallucination triggers, and preventing agents from learning patterns that should stay internal. The same logic applies in security operations and developer tooling, where overly broad context windows make retrieval less precise and incident response harder to contain. Organisations typically encounter the cost of weak AI-exposability only after an agent has surfaced a secret, disclosed restricted data, or taken a mistaken action based on irrelevant context, at which point the policy becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Controls secret exposure and overbroad context surfacing to agents. |
| NIST AI RMF | Frames data minimization and context governance for AI systems. | |
| OWASP Agentic AI Top 10 | Agentic systems require constrained tool and context exposure to reduce misuse. |
Limit agent-visible data to the minimum needed and exclude secrets from retrieval and tool context.