Subscribe to the Non-Human & AI Identity Journal

How should security teams use AI without turning it into a control dependency?

Security teams should use AI for summarisation, correlation, and prioritisation, then keep containment in deterministic controls such as access policy, segmentation, and revocation. The key rule is that AI can recommend action, but it should not be the only mechanism that can stop exposure. That separation reduces false confidence and preserves auditability.

Why This Matters for Security Teams

AI is most useful in security operations when it reduces analyst load, improves pattern recognition, and helps teams decide what deserves attention first. The risk appears when organisations let AI become the mechanism that decides, blocks, or approves by itself. That creates a hidden dependency: if the model fails, drifts, or is bypassed, the control plane fails with it. NIST Cybersecurity Framework 2.0 remains a useful anchor for keeping that separation between decision support and control execution. NIST Cybersecurity Framework 2.0

The practical issue is not whether AI is accurate most of the time. It is whether the organisation can still contain risk when the model is wrong, unavailable, or manipulated. Security teams sometimes treat AI recommendations as if they were policy, then discover too late that the model had no grounding in access context, asset criticality, or business exception handling. Current guidance suggests using AI to support triage and investigation while keeping enforcement in deterministic systems such as identity policy, segmentation, and revocation logic. In practice, many security teams encounter AI control dependency only after an outage, a misclassification, or an attacker-driven prompt manipulation has already weakened containment.

How It Works in Practice

The safest operating model is a split between advisory AI and enforceable controls. AI can enrich alerts, group related events, summarise incidents, and propose next steps. Deterministic systems should still own the final action, such as denying access, quarantining a host, revoking a token, or requiring step-up authentication. This aligns with NIST CSF thinking on resilient control design, where detection and response support protective enforcement rather than replace it.

  • Use AI to prioritise alerts, not to grant access.
  • Require policy engines, identity systems, or orchestration rules to execute containment.
  • Keep human approval for high-impact actions until the model is proven reliable in that use case.
  • Log prompts, outputs, and downstream actions so decisions remain auditable.
  • Test the workflow for model outage, prompt injection, and bad recommendations.

Security teams should also define where AI sits in the incident lifecycle. It is well suited to first-pass correlation across SIEM, EDR, and cloud telemetry, and it can help analysts find likely root cause faster. But if the model becomes the only component that knows how to escalate, block, or notify, the organisation has replaced control depth with model confidence. For AI systems that are embedded in workflows, the OWASP Top 10 for Large Language Model Applications is useful for thinking about prompt injection, insecure output handling, and overreliance on model responses.

Operationally, teams should define a simple rule: AI may recommend, enrich, and sort, but non-AI control paths must still be able to enforce the same decision. That usually means access decisions remain in IAM or PAM policy, network actions remain in segmentation controls, and revocation remains in a trusted control plane. These controls tend to break down in highly automated environments where teams let the model trigger irreversible actions directly through loosely governed tool access because there is no stable fallback path when the model is wrong.

Common Variations and Edge Cases

Tighter AI control often increases workflow overhead, requiring organisations to balance speed against assurance. That tradeoff is especially visible in SOC automation, fraud review, and privileged access workflows, where full automation looks efficient until exception handling becomes the real bottleneck. Best practice is evolving here, and there is no universal standard for how much autonomy is appropriate for each use case.

For low-risk summarisation tasks, the acceptable dependency level is usually higher because the AI is not making a control decision. For identity-heavy or high-impact environments, such as privileged access approvals, token revocation, or production change response, the dependency threshold should be much lower. The stronger pattern is to treat AI as a decision aid inside a guarded workflow, not as the sole operator of that workflow. If the AI service is unavailable, the team should still be able to detect, contain, and recover using non-AI controls.

This becomes more complicated when organisations connect AI agents to tools with execution authority. In those cases, AI governance needs to include tool scope, approval gates, and rollback paths, especially where the agent can touch secrets, identity systems, or cloud controls. The OWASP guidance is helpful, but current guidance suggests it should be paired with explicit operational ownership, because technical guardrails alone do not prevent over-delegation. The cleanest implementations keep the model close to analysis and keep the control boundary outside the model.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST AI 600-1 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM AI dependency is a governance and risk-management problem, not just a tooling choice.
OWASP Agentic AI Top 10 Agentic workflows can turn AI into an execution path if tool access is not constrained.
NIST AI RMF AI RMF directly addresses mapping AI capability to trustworthy, bounded use.
MITRE ATLAS AML.TA0001 Prompt manipulation and adversarial inputs can distort AI-driven security recommendations.
NIST AI 600-1 GenAI profiles help teams separate assistant functions from authoritative decisions.

Set AI use cases, risk tolerance, and fallback controls before allowing AI into operational decisions.