AI adoption is turning governance into a real-time identity problem

At a glance

What this is: Nudge Security’s research shows AI is now embedded in enterprise workflows, integrated with core systems, and increasingly associated with sensitive data exposure and early agentic tooling adoption.

Why it matters: IAM and security teams need to govern AI use as a live identity problem because access, integrations, and data movement now happen in the same operational path as human and non-human identities.

By the numbers:

• OpenAI is present in 96.0% of organizations, with Anthropic at 77.8%.
• 17% percent of prompts include copy/paste and/or file upload activity.
• Detected sensitive-data events are led by secrets and credentials (47.9%), followed by financial information (36.3%) and health-related data (15.8%).

👉 Read Nudge Security's research on AI adoption, governance, and enterprise risk

Context

AI adoption is no longer confined to experimental chat use. In enterprise environments, it is now embedded in everyday work, connected to productivity suites, knowledge systems, and code repositories, which makes AI governance a live identity and data-flow issue rather than a policy-only discussion.

For IAM and security programmes, the core problem is that AI tools increasingly sit inside the same permissioned environment as users and workloads. That means the governance question is no longer whether AI is allowed, but what it can reach, what data it can expose, and how its integrations expand the effective identity perimeter.

Key questions

Q: How should security teams govern AI tools that are embedded in enterprise workflows?

A: Security teams should govern embedded AI tools as part of the identity and access model, not as standalone software. That means tracking the tool, its integrations, the data it can reach, and the permissions it inherits from connected systems. Approval alone is not enough if runtime use can move sensitive information or trigger actions across business platforms.

Q: Why do AI prompts create identity and data-security risk?

A: AI prompts create risk because they can carry sensitive content outside the original system’s protection boundary. Copy-paste and file uploads can move secrets, regulated data, or operational context into tools that may log, reuse, or connect that information elsewhere. The issue is not the prompt itself, but the identity and data path it opens.

Q: When should organisations treat an AI tool like a non-human identity?

A: Organisations should treat an AI tool like a non-human identity whenever it can access systems, move data, or take actions beyond simple chat output. If the tool has integrations, delegated permissions, or autonomous task execution, it needs ownership, scope review, and lifecycle oversight just like any other privileged machine identity.

Q: What should teams do when AI starts connecting to productivity and code systems?

A: Teams should re-evaluate the full trust boundary, because connected systems expand the AI tool’s effective blast radius. Review which repositories, knowledge bases, and productivity applications are reachable, then narrow access to the smallest workable set. If the tool can move across multiple systems, it should be governed as an access path, not a feature.

Technical breakdown

AI governance now depends on identity-aware integration control

The technical shift is not just more AI usage, but AI tools being wired into business platforms that already hold sensitive data and privileged workflows. Once an AI tool is integrated with productivity, code, or knowledge systems, it inherits part of the organisation’s trust boundary. That creates a governance surface spanning authentication, authorisation, data exposure, and downstream tool access. The relevant control problem is no longer only model approval. It is lifecycle management of connected identities, scopes, and data paths across the full AI workflow.

Practical implication: inventory AI integrations with the same discipline used for service accounts and third-party OAuth access.

Prompts are becoming a data-exfiltration path

Prompt channels now function as a high-friction but real egress route for sensitive information. When users paste content or upload files into AI tools, the data is no longer protected by the original system’s access model alone. The governance issue is compounded when the tool sits inside a broader workflow, because data can move from human-entered content into logs, embeddings, shared contexts, or connected applications. This is why AI governance needs data classification and access review, not just acceptable-use language.

Practical implication: treat prompt content and file uploads as monitored data egress, especially when secrets or regulated data are involved.

Agentic tooling changes the risk from output to action

Early agentic tools matter because they move AI from suggestion into execution. A chat model can leak information in output, but an agent can also trigger actions, connect systems, and propagate decisions across tools. That changes the security model from content governance to delegated capability governance. The issue is not whether the tool sounds intelligent. It is whether it has been granted enough access to act inside business systems without sufficient constraint, logging, and human oversight.

Practical implication: classify agentic tools as non-human identities with delegated capability, then review their scopes as if they were privileged accounts.

Threat narrative

Attacker objective: The objective is to gain access to sensitive enterprise data or privileged workflow context through AI-enabled usage paths.

1. entry: Users introduce AI tools into daily workflows and connect them to productivity, knowledge, and development systems.
2. escalation: Copy-paste, file uploads, and integrations move sensitive data and permissions into AI-enabled paths that sit outside traditional review loops.
3. impact: Secrets, credentials, financial data, and health information can be exposed through routine AI use and downstream tool connections.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI governance has become an identity governance problem, not a model governance problem. The article shows that AI is now present in core enterprise workflows and connected to systems that already carry sensitive permissions. That means the control question shifts from approving a tool to governing its runtime position inside the identity fabric. Practitioners should stop treating AI as a separate policy domain and start treating it as part of the enterprise access model.

Prompt-based data loss is the new shadow path for secrets. Nudge Security’s findings that secrets and credentials lead detected sensitive-data events are a reminder that the riskiest AI behaviour often begins with ordinary user behaviour. Once copy-paste and file upload become common, prompt channels become a practical exfiltration path that sits outside conventional DLP assumptions. The implication is that data governance must extend into AI usage telemetry and connected application scopes.

Agentic tooling introduces delegated capability risk that traditional SaaS approvals do not capture. Tools such as Manus, Lindy, and Agent.ai are early indicators that AI is moving from conversational assistance to action-taking. That creates a governance gap around who authorises what the agent can do, which systems it can reach, and how much blast radius a single integration creates. Practitioners should treat agentic use as delegated identity, not just software adoption.

Identity blast radius is now defined by integrations as much as by credentials. The article’s central lesson is that an AI tool’s risk profile depends on its connected systems, not just its login or vendor approval status. In practice, the same AI application can be low-risk in isolation and high-risk once tied to productivity suites, code repositories, and knowledge platforms. Security teams should reframe exposure in terms of reachable data and reachable action paths.

Continuous governance has replaced one-time approval as the operating model. The vendor’s own framing is directionally right on one point: static policy cannot keep up with AI that is changing how employees work. But the discipline required is broader than periodic review. It is ongoing visibility into tool use, integrations, and sensitive data movement across the full identity stack. Practitioners should govern AI as a continuously changing access graph.

From our research:

• 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• For a practical control lens, the Ultimate Guide to NHIs: Lifecycle Processes for Managing NHIs is the right next step for understanding how to manage access scope, ownership, and offboarding across machine and AI identities.

What this signals

Identity teams should expect AI governance to converge with NHI governance faster than many programmes planned for. With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the operational question is no longer whether AI needs separate oversight, but how quickly existing access review and lifecycle processes can be extended to it. The practical gap is ownership, not intent.

AI usage telemetry will become a core governance signal. Once prompt activity includes uploads and copy-paste, security teams need to watch for data movement across tool boundaries, not just account provisioning. This is where lifecycle management for NHIs starts to overlap with data governance and SaaS control in a way many programmes have not yet operationalised.

Identity blast radius is the concept practitioners should adopt now. It captures the fact that the risk is created by the combination of integrations, permissions, and reachable data, not by AI use in the abstract. For teams aligning to external guidance, the OWASP Top 10 for Agentic Applications 2026 is the most relevant external lens for tool misuse and delegated action risk.

For practitioners

• Inventory AI tools and integrations continuously Track which AI applications are present, what systems they connect to, and whether those links include productivity suites, repositories, or knowledge platforms. Prioritise tools that can move data or trigger actions inside existing business systems.
• Classify prompt data as a governed egress channel Extend data handling rules to include copy-paste, uploads, and pasted secrets inside AI sessions. Apply monitoring and restriction controls where regulated data or credentials can enter prompts.
• Review AI scopes like delegated identities Treat agentic tools as non-human identities with specific permissions, owners, and review intervals. Validate that their access is limited to the minimum required to complete the intended workflow.
• Tie AI approval to runtime visibility Require telemetry on active usage, connected applications, and data flow before and after approval. A one-time policy review is not enough when the operational context keeps changing.

Key takeaways

• AI governance is now an access problem because AI tools sit inside real workflows, real systems, and real data paths.
• The strongest risk signal in the research is not experimentation but normalised usage, with sensitive data moving through prompt channels and integrations.
• Practitioners should govern AI with the same lifecycle discipline used for non-human identities, because approval without runtime visibility leaves the real risk untouched.

Key terms

• Agentic Tooling: Software that can move beyond answering prompts and take actions through connected systems. In identity terms, it behaves like a delegated non-human actor because its risk depends on the permissions, integrations, and execution paths it can use at runtime.
• Prompt Egress: The movement of sensitive information out of a controlled system through prompts, uploads, or pasted content. In AI governance, this is a data-loss pathway because the input channel can bypass the original application’s access model and expose secrets or regulated data elsewhere.
• Identity Blast Radius: The amount of access, data, and downstream action that becomes reachable when an identity or AI tool is misused. It is not just about credentials, but about the systems and workflows those credentials can touch once integrations are in place.
• Delegated Capability: The specific set of actions a non-human or AI identity is allowed to perform on behalf of a user or system. It matters because governance must cover not only who owns the identity, but also what it can initiate, alter, or trigger inside connected platforms.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Nudge Security: AI Adoption Research Reveals How Widespread AI Use Is Transforming Security Governance. Read the original.