Subscribe to the Non-Human & AI Identity Journal

Assistant trust transitivity

A governance failure in which an AI assistant inherits trust from the services around it, such as browser navigation, whitelisted endpoints, or authenticated content sources. The assistant itself may not be privileged by design, but it becomes privileged in practice because surrounding systems are trusted.

Expanded Definition

Assistant trust transitivity describes a control gap where an AI assistant inherits authority from the environment around it rather than from an explicit trust decision. In practice, that environment may include a logged-in browser session, approved URLs, authenticated content feeds, shared workspace permissions, or runtime access to tools. The assistant can remain nominally unprivileged while still being able to act on sensitive data or perform high-impact operations because surrounding systems treat it as trusted. This is one reason the term matters in NHI governance: the identity risk is not only in the assistant itself, but in the trust boundary it crosses through delegation, navigation, and content handling.

Definitions vary across vendors and platform designs, but the core issue is consistent: trust assigned to a user session, application context, or network path is extended to an agentic system without revalidation. That differs from ordinary authentication, where the actor is explicitly verified, and from authorization, where access is deliberately scoped. For a standards-oriented view of access control and trust boundaries, NIST SP 800-53 Rev 5 Security and Privacy Controls remains a useful reference point for mapping privileges back to controlled access decisions. The most common misapplication is assuming an assistant is safe because it has no direct credentials, when the surrounding browser, session, or connector already carries the effective authority.

Examples and Use Cases

Implementing assistant controls rigorously often introduces friction, because every useful workflow must be balanced against the cost of breaking legitimate automation, shared sessions, or rapid operator productivity.

  • An assistant reads a finance dashboard inside an authenticated browser tab and summarizes balances, but it also follows embedded links into approval screens that were never meant for autonomous navigation.
  • An enterprise search assistant indexes documents from a whitelisted source, then uses that trusted source to answer questions that reveal restricted operational details, turning content trust into action trust.
  • A support copilot is connected to a ticketing system with delegated session rights, and it can close, reassign, or expose records because the user session already has those entitlements.
  • A browser-using agent visits an internal portal and inherits access from single sign-on state, which is safer only if the portal and session are both constrained by explicit policy. Guidance from NIST AI 600-1 GenAI Profile helps teams assess where generative systems need tighter operational controls.
  • NHIMG’s Ultimate Guide to NHIs is especially relevant where assistants are given indirect access to service accounts, secrets managers, or automation backplanes.

Why It Matters in NHI Security

Assistant trust transitivity is a governance problem because it turns ambient trust into unintended privilege amplification. Once an assistant can traverse trusted sessions, it may become a high-impact actor without ever receiving a discrete role assignment. That creates audit blind spots, weakens least privilege, and complicates incident response because the log trail often reflects a legitimate user context rather than a separate machine identity. This is especially dangerous where secrets, browser sessions, and API access converge.

NHIMG research shows the scale of the underlying NHI problem is already severe: 97% of NHIs carry excessive privileges, and 80% of identity breaches involve compromised non-human identities such as service accounts and API keys. Ultimate Guide to NHIs makes clear why inherited trust cannot be treated as benign, especially when NIST SP 800-53 Rev 5 Security and Privacy Controls calls for access decisions that are intentional, reviewable, and constrained. Organisations typically encounter the consequences only after an assistant has browsed, copied, or executed something sensitive under a trusted session, at which point assistant trust transitivity becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Addresses agent tool misuse and unintended authority amplification through surrounding systems.
OWASP Non-Human Identity Top 10 NHI-05 Covers privilege escalation patterns where non-human actors inherit excessive access.
NIST CSF 2.0 PR.AC-4 Maps to access control decisions that must remain deliberate and least-privileged.
NIST Zero Trust (SP 800-207) SP 800-207 Zero Trust requires every request to be explicitly authorized, not trusted by context.
NIST AI RMF Risk management guidance applies to agentic systems that inherit operational trust.

Bind each assistant to least-privilege identity boundaries and remove ambient session trust.