Subscribe to the Non-Human & AI Identity Journal

How should security teams govern custom GPTs that can call external systems?

Treat each custom GPT as a non-human identity with an owner, a narrow purpose, and a bounded set of credentials. Inventory the GPT, restrict its sharing, scope its actions to the minimum necessary API surface, and revoke it when the business need ends. If the GPT can perform real work, it needs identity governance, not just content review.

Why This Matters for Security Teams

Custom GPTs that can call external systems are not just chat experiences. They are autonomous or semi-autonomous workloads that can take actions, chain tool calls, and move data across trust boundaries. That changes the control objective from content safety to identity governance, because the real risk is what the GPT is allowed to do once a prompt is accepted.

Security teams often underestimate how quickly a well-intentioned GPT becomes an operational actor. If it can reach ticketing, code repositories, payment systems, or cloud APIs, then its access must be treated like any other NHI with an owner, purpose, and revocation path. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs ties this directly to lifecycle control, while NIST Cybersecurity Framework 2.0 reinforces the need for asset visibility, access control, and ongoing governance.

NHIMG research shows why this matters operationally: 97% of NHIs carry excessive privileges, and 71% are not rotated within recommended time frames. Those numbers are especially dangerous when the identity is embedded inside a GPT that may be shared broadly or reused across projects. In practice, many security teams discover the blast radius only after the GPT has already been connected to production systems.

How It Works in Practice

Governance starts by assigning each custom GPT a named business owner, a documented purpose, and an inventory record that includes every connected tool, API, and secret. The GPT should be treated as a workload identity, not as a user account with a conversational interface. Best practice is evolving toward runtime authorization, where the GPT is allowed to act only within the current task context, rather than through broad static permissions.

That typically means three layers of control. First, issue short-lived credentials or scoped tokens per task instead of embedding long-lived secrets. Second, constrain the GPT to a minimal API surface, ideally with separate credentials for read and write actions. Third, evaluate each request against policy at runtime, using policy-as-code and explicit approval paths for sensitive actions. The Top 10 NHI Issues is a useful reference for the recurring failure patterns that show up when these controls are missing.

  • Inventory the GPT as a distinct NHI and track its owner, purpose, and connected systems.
  • Bind tool access to the narrowest possible scope, not the broadest API key available.
  • Use short-lived tokens, ephemeral secrets, and automatic revocation on completion or inactivity.
  • Log every tool call, approval, and token issuance for review and incident response.
  • Review sharing settings, because a shared GPT can silently become a shared privilege boundary.

For implementation detail, teams are increasingly mapping this to zero trust and workload identity patterns rather than human IAM patterns. Current guidance suggests using cryptographic identity for the workload, then layering context-aware authorization on top of it. These controls tend to break down in highly dynamic environments where the GPT can spawn multiple tool calls in sequence and the underlying business process changes faster than the policy model.

Common Variations and Edge Cases

Tighter controls often increase operational overhead, requiring organisations to balance developer convenience against blast-radius reduction. That tradeoff is most visible when teams want one GPT to serve many users, departments, or environments. In those cases, shared access can create ambiguous ownership and make revocation nearly impossible without disrupting legitimate work.

There is no universal standard for this yet, but current guidance suggests treating shared GPTs as higher-risk NHIs and requiring stronger guardrails: separate identities per environment, explicit approval for external writes, and periodic review of connected tools. The challenge becomes even sharper when the GPT can act through third-party OAuth apps, because third-party visibility is often incomplete. The State of Non-Human Identity Security shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes over-scoping easy to miss.

For agentic or tool-using GPTs, the important question is not whether the model is “trusted,” but whether each action is independently authorized. If the GPT can trigger purchases, deploy code, or modify records, then human review alone is not sufficient control. Lifecycle offboarding, credential rotation, and tool revocation must be part of the design, not a cleanup task after deployment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A3 Custom GPTs with tools are agentic workloads that need scoped action controls.
CSA MAESTRO AI-03 MAESTRO addresses governance for autonomous AI systems connecting to external tools.
NIST AI RMF AI RMF applies to accountable oversight of AI systems that act across trust boundaries.

Establish governance, measure runtime risk, and document controls for external actions.