Subscribe to the Non-Human & AI Identity Journal

What should organisations check when a security vendor also uses general-purpose AI tools?

They should check whether those tools are isolated from customer protection workflows, whether data paths are separated, and whether humans or automated systems make the security decisions. The key question is not whether AI is used, but whether it changes the trust boundary for detection or response.

Why This Matters for Security Teams

When a security vendor uses general-purpose AI tools, the key issue is not novelty. It is whether those tools can see customer data, influence detection logic, or trigger response actions outside the intended trust boundary. That changes vendor risk from a procurement question into an operational one. Guidance from the NIST Cybersecurity Framework 2.0 still applies, but it has to be interpreted through data flow, decision authority, and containment.

Security teams should ask where prompts, model outputs, logs, and retraining data go, and whether any of those paths are shared with production customer workflows. This is especially important where AI is used for triage, summarisation, enrichment, or automated containment, because the vendor may be introducing a second control plane that is not obvious in the contract. NHIMG’s analysis of the Ultimate Guide to NHIs shows how quickly identity and access boundaries become fragile once tooling is layered into operational pipelines.

In practice, many security teams discover the AI risk only after a customer incident or an unexpected model-assisted action, rather than through deliberate vendor due diligence.

How It Works in Practice

The review should focus on three things: isolation, data separation, and decision authority. If the vendor uses general-purpose AI to assist analysts, summarise alerts, or draft remediation steps, ask whether the model is completely segregated from customer protection workflows or whether it can influence live containment decisions. If the answer is unclear, treat the AI path as part of the security control chain, not a harmless productivity layer.

A practical assessment usually looks like this:

  • Confirm whether customer data is sent to third-party model providers, retained, or used for training.
  • Check whether prompts and outputs are logged, and who can access those logs.
  • Determine whether humans approve actions or whether automated systems can close incidents, revoke access, or quarantine assets.
  • Verify whether the vendor can explain the model’s role in decisioning with change control and audit evidence.
  • Ask whether fallback modes exist if the AI tool fails, hallucinates, or returns incomplete context.

Where the vendor claims no live customer data is used, validate that claim against architecture, contracts, and operational practice. The point is not to ban AI, but to ensure it does not silently widen the trust boundary. NHIMG’s DeepSeek breach coverage and the Replit AI Tool Database Deletion case both show how quickly AI-assisted environments can cross from convenience into operational impact when tooling is connected too broadly.

These controls tend to break down in multi-tenant SOC platforms where AI is wired directly into enrichment, suppression, and auto-response because the vendor cannot cleanly separate advisory output from enforcement logic.

Common Variations and Edge Cases

Tighter AI isolation often increases vendor overhead and can reduce response speed, so organisations have to balance analyst efficiency against control assurance. That tradeoff becomes sharper when the vendor uses AI only for internal productivity versus when it is embedded in customer-facing detection or response.

Best practice is evolving for several edge cases. If AI is used only to draft human-reviewed notes, the risk is lower, but the organisation should still confirm that no customer secrets or case data are fed into external models. If the vendor uses retrieval-augmented generation over customer telemetry, the main concern is not just leakage but cross-tenant contamination or poisoned context. If automated actions are allowed, current guidance suggests a strict human-in-the-loop gate for high-impact changes such as account disablement, policy revocation, or host isolation.

There is no universal standard for this yet, but the safest buying posture is to treat any general-purpose AI component as part of the vendor’s security architecture and require explicit disclosures. That includes model provider names, data retention, training exclusions, subprocessors, and the exact point where a human stops approving and a machine starts deciding. NHIMG’s reporting on the Gemini CLI Breach is a reminder that even utility-layer AI can become a control-plane issue when execution authority is not tightly bounded.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A3 AI tools can alter decision paths and tool use in security operations.
CSA MAESTRO AI-04 Covers governance for AI-driven security workflows and control separation.
NIST AI RMF Supports risk mapping for AI use in security vendor operations.
OWASP Non-Human Identity Top 10 NHI-01 General-purpose AI often relies on service identities and secrets.
NIST CSF 2.0 PR.DS-1 Data separation is central when AI tools touch customer protection workflows.

Map every AI-assisted action to an approval boundary before it can affect customer protections.