Subscribe to the Non-Human & AI Identity Journal

What do organisations get wrong about AI-enabled third-party apps?

Many teams focus on the AI tool itself and miss the integrations attached to it. AI-enabled apps can pull data into supplier environments, expand consent scopes, and create new retention and audit gaps. Organisations need to review app permissions as part of their identity and data governance programme, especially where tenant-wide consent is already in place.

Why This Matters for Security Teams

AI-enabled third-party apps are often approved as productivity tools, but the real risk sits in the connections they establish: delegated access, API tokens, tenant-wide consent, and downstream data sharing. Once those permissions exist, the app may operate with far broader reach than the end user understands. That creates exposure across identity governance, data handling, and incident response, especially when the organisation assumes the vendor’s AI layer is a closed system.

The common mistake is treating the app as a software purchase instead of an ongoing identity relationship. Security teams need to ask what the app can read, write, retain, and transmit, and whether those permissions are constrained by purpose. Guidance from the OWASP Non-Human Identity Top 10 is useful here because many AI-enabled apps rely on machine credentials and service-to-service trust that are never reviewed after installation. In practice, many security teams encounter the permission problem only after data has already been indexed, exported, or shared outside the intended control boundary.

How It Works in Practice

AI-enabled third-party apps usually connect through OAuth consent, service accounts, application tokens, or marketplace integrations. The risk is not limited to malicious behaviour. Even legitimate apps can over-collect data, store prompts and outputs in supplier environments, or trigger cross-tenant data movement that was never intended by the business owner. If the app supports agentic actions, the scope expands further because the software may take actions on behalf of a user without a human approving each step.

Practitioners should review these controls as part of onboarding and periodic recertification:

  • What data the app can access, including mail, files, chat, tickets, and CRM records
  • Whether consent is user-level or tenant-wide, and who can grant it
  • Whether the app uses persistent credentials, refresh tokens, or service identities
  • What retention, training, or secondary-use terms apply to prompts and outputs
  • How logs, audits, and eDiscovery evidence are preserved

For identity governance, the key question is whether access is proportionate to the business use case. For data governance, the key question is whether the app can retain or repurpose content beyond the organisation’s policy. For operational security, the key question is whether the app is monitored like any other privileged integration. NIST’s AI Risk Management Framework is helpful for mapping governance, measurement, and oversight to these decisions, while the CISA Known Exploited Vulnerabilities Catalog is a reminder that third-party risk is not only about permissions but also about the supplier’s attack surface.

Where this breaks down is in environments with broad admin consent, weak application inventories, and no separation between personal productivity tools and business-authorised integrations.

Common Variations and Edge Cases

Tighter approval and monitoring often increases friction for business users, requiring organisations to balance convenience against data minimisation and traceability.

There is no universal standard for this yet, especially where AI features are embedded in common SaaS tools rather than sold as standalone AI products. That makes the edge cases important. A collaboration app with built-in summarisation may appear low risk, but if it has mailbox access, meeting transcript access, or cross-app connectors, its practical exposure can rival a dedicated AI service.

Other common exceptions include internal apps built by developers, where service identities are created quickly and never revisited, and partner apps used in regulated workflows where retention and audit requirements are stricter than the product defaults. Organisations should also distinguish between read-only enrichment tools and apps that can modify records, send messages, or trigger workflows. Those action permissions materially change the risk profile.

Best practice is evolving, but a practical rule is to treat every AI-enabled integration as both a data processor and a non-human identity. That means reviewing consent scope, token lifetime, revocation paths, logging, and supplier terms together rather than as separate reviews. This is especially important when the app sits inside an identity platform or has permission to act across multiple tenants, because the blast radius can exceed what a standard SaaS review typically captures.

For broader context on non-human identity controls, the OWASP Non-Human Identity Top 10 is a strong baseline for thinking about machine access, credential lifecycle, and trust boundaries.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 AI apps often rely on machine credentials and service trust that must be governed.
NIST AI RMF AI app governance needs risk management across data, outputs, and oversight.
NIST CSF 2.0 PR.AA Third-party app access and consent need identity and access governance controls.

Classify app access, review permissions, and enforce least privilege on every integration.