Subscribe to the Non-Human & AI Identity Journal

Who is accountable when an embedded AI feature changes a vendor risk profile?

The vendor may implement the feature, but the buying organisation remains accountable for the risk it accepts. That means procurement, security, legal, and GRC need explicit ownership for monitoring changes, documenting exceptions, and deciding when a new feature requires a fresh assurance review.

Why This Matters for Security Teams

An embedded ai feature can change how data is processed, where prompts and outputs flow, and which third parties can influence the service. That means the risk is not limited to the feature itself. It can alter data retention, model behaviour, access paths, and incident response expectations. Under NIST Cybersecurity Framework 2.0, this is a governance and risk ownership issue, not just a procurement note. NHIMG’s research on the OWASP NHI Top 10 also shows how quickly AI-enabled systems expand the attack surface when identity, secrets, and tool access are not explicitly controlled.

The practical challenge is that vendor release notes often describe a feature as “enhanced AI” without clarifying whether it introduces new training data use, external inference calls, or hidden integrations. Security teams need a change trigger that is stronger than version numbers alone. In practice, many organisations discover a vendor risk increase only after a new AI capability is already in production and users have begun sending sensitive data through it.

How It Works in Practice

Accountability should be split by decision type, not by who wrote the code. The vendor is accountable for the feature’s design, transparency, and control evidence. The buying organisation is accountable for the risk it accepts, including whether the feature is permitted, restricted, monitored, or rejected. This aligns with the control logic in NIST SP 800-53 Rev. 5 Security and Privacy Controls, where system changes and supplier dependencies must be governed through defined oversight processes.

A workable process usually includes four steps:

  • Classify the feature as a material change if it adds AI inference, external data sharing, autonomous actions, or new secrets access.
  • Re-run supplier assurance on the changed capability, not the whole vendor relationship only.
  • Update data protection, logging, and user notice requirements before enabling the feature.
  • Assign a named risk owner who can approve, defer, or block use when evidence is incomplete.

This is where NHIMG’s Top 10 NHI Issues becomes relevant: many AI features depend on service identities, API keys, or delegated tokens that are easy to overlook during vendor review. If the feature can call other tools, it may also inherit privilege from adjacent systems, which is an access-control issue as much as a procurement issue. The right question is not “Did the vendor add AI?” but “Did the change alter our exposure, trust boundary, or evidence standard?” These controls tend to break down when procurement approves feature rollout without security sign-off because the feature is treated as functionality, not a risk change.

Common Variations and Edge Cases

Tighter approval gates often slow adoption, so organisations have to balance speed against assurance. That tradeoff becomes sharper when an embedded AI feature looks low-risk on paper but can still process customer data, generate recommendations, or trigger downstream actions.

There is no universal standard for when every AI enhancement requires a full re-assessment. Current guidance suggests using risk thresholds tied to data sensitivity, autonomy, and integration depth. A cosmetic interface helper may justify a lightweight review, while a feature that accesses internal files, sends prompts to a third party, or acts through delegated credentials should trigger deeper scrutiny. This is especially important where AI features intersect with DeepSeek breach-style concerns about exposed secrets, training data leakage, and uncontrolled data persistence.

Edge cases also appear in regulated or shared environments. In multi-tenant SaaS, the buyer may not control model updates directly, so accountability depends on contract language, audit rights, and documented acceptance of residual risk. In agentic workflows, the issue expands further because the AI feature may not just suggest actions but execute them, making ownership shared across security, legal, GRC, and the business function that enabled the integration. The real failure mode is treating vendor assurance as a one-time checkbox instead of a continuous change-management obligation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Vendor AI feature changes require ongoing governance and risk oversight.
NIST AI RMF GOVERN AI governance covers accountability for changed model behavior and oversight.
OWASP Agentic AI Top 10 A2 Agentic features can expand tool access and create new abuse paths.
OWASP Non-Human Identity Top 10 NHI-02 Embedded AI features often rely on service identities and secrets.

Treat AI feature changes as identity and secrets governance events, not just product updates.