AI security in 2025: agents, compliance and model consolidation

At a glance

What this is: This is an end-of-year analysis of how AI security changed in 2025, with the key finding that enterprise risk moved from prompts and outputs to agent actions, access, and compliance.

Why it matters: It matters because IAM, PAM, NHI, and governance teams now have to control what AI systems can do in production, not just what they say, across human, machine, and agentic identity programmes.

By the numbers:

• By mid-2025, 74% of startup workloads were already in production, showing how far GenAI had matured beyond pilot phases.
• Anthropic overtook OpenAI in enterprise usage at 32% versus 25%, while open-source adoption declined from 19% to 13%.

👉 Read Lasso Security's 2025 AI security predictions and reality check

Context

AI security now has to account for runtime behaviour, because agents can select tools, access data sources, and execute tasks instead of only generating responses. That shift changes the governance problem for NHI, agentic AI, and IAM programmes alike.

The article argues that 2025 moved enterprise attention from prompt leakage to control over actions, retrieval paths, and compliance evidence. For identity teams, that means the security boundary is no longer just the model, but the delegated access behind it.

This is a typical progression for platforms that move from experimentation to production. Once the model is allowed to act, identity governance becomes an operational control plane rather than a documentation exercise.

Key questions

Q: How should security teams govern AI systems that can act, not just generate text?

A: Security teams should govern AI systems as delegated executors with traceable access, not as passive software. That means mapping every tool, corpus, and workflow the system can reach, enforcing external policy checks, and logging runtime actions by identity. The core question is whether the system can access or change anything without a separately governed approval path.

Q: Why do AI agents change the way IAM and NHI controls work?

A: AI agents change IAM and NHI controls because the decision to act happens at runtime, not just at provisioning time. That makes access scope, tool permissions, and retrieval paths part of the security boundary. Traditional controls that assume a stable human operator or a fixed service role struggle when the actor can select actions dynamically.

Q: What do security teams get wrong about prompt leakage?

A: They often treat prompt leakage as the whole problem when it is only one layer of exposure. A leaked prompt can reveal hidden rules, but the deeper risk is the delegated access and policy attached to the model. If tools, corpora, and workflows remain over-permissioned, prompt secrecy will not prevent misuse.

Q: How do organisations know if AI governance is actually working?

A: AI governance is working only if the organisation can show which identities accessed which data sources, which tools were invoked, and what actions were executed in production. If those artefacts are missing, the programme has visibility into model output but not into real operational risk. Auditability is the practical test.

Technical breakdown

Agentic AI and MCP change the identity boundary

Agentic AI changes the security model because the system no longer stops at generating text. It can select tools, call external services, and coordinate multiple data sources through protocols such as MCP, which formalise machine-to-system interaction. That creates a delegated-access problem: the model may be the decision-maker, but the permissions usually belong to an underlying NHI, API token, or service account. Once those identities are exposed to runtime choice, governance has to track what the agent can reach, not just what it can say.

Practical implication: inventory every tool and data source an agent can call, then bind each path to a separately governed identity.

System prompt leakage is a control failure, not the whole threat

System prompt leakage matters because prompts often encode hidden policy, escalation cues, and behavioural constraints. But the deeper issue is that prompt secrecy was never a complete security boundary. Once adversaries reconstruct guardrails or developer instructions, they can better steer model behaviour or probe adjacent access controls. In other words, prompt protection reduces exposure, but it does not govern the broader identity and policy layer that now surrounds LLM deployments.

Practical implication: treat prompts as sensitive configuration, but enforce access controls and policy checks outside the model as well.

RAG security depends on retrieval governance

Retrieval augmented generation improves answers by letting models pull from trusted knowledge bases, but it also creates a new attack surface. If corpus poisoning, embedding manipulation, or retrieval hijacking succeeds, the model can be driven toward false context even when the base model is intact. That is why RAG security is becoming a governance discipline as much as a technical one. The key control question is not whether the model can retrieve data, but whether the retrieval path is constrained, monitored, and auditable.

Practical implication: apply granular access control and retrieval monitoring to every knowledge source an AI system can query.

Threat narrative

Attacker objective: The attacker aims to turn AI delegation into data exposure, workflow manipulation, or unauthorized execution at enterprise scale.

1. Entry occurs when attackers exploit exposed prompts, poisoned corpora, or overbroad access into the model's connected retrieval and tool environment.
2. Escalation follows when the attacker uses reconstructed guardrails or compromised retrieval context to steer the system toward broader data access or tool use.
3. Impact lands when the agent or model executes actions with delegated authority, exposing data, generating code, or pushing decisions into production workflows.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

2025 proved that AI security has moved from content control to action control. The article's core finding is not that models became smarter, but that enterprises allowed them to act. That changes the governance problem for IAM, NHI, and PAM because the risk now sits in delegated execution, tool use, and data access rather than in prompts alone. Practitioners should read this as a shift from model monitoring to identity governance for machine-driven action.

Prompt secrecy is not a security boundary, it is a fragile control layer. System prompt leakage matters because it exposes hidden policy, but it does not by itself explain enterprise risk. The real failure mode is that organisations often let the prompt stand in for policy, then discover that policy can be inferred, copied, or bypassed. The implication is that prompt management must be treated as configuration hygiene, not as the core governance model.

RAG security has become retrieval identity governance. Once a model can query knowledge bases, the question is who or what is authorised to retrieve which context under which conditions. That makes access scope, corpus integrity, and query path auditability part of the control plane. For practitioners, the field is now moving toward governed retrieval rather than trusted retrieval.

Agent consolidation is narrowing the market while widening the governance burden. The article points to a 2025 market structure where a few frontier models dominate enterprise use, while security providers respond through acquisitions and specialised tooling. That concentrates operational dependency and makes identity governance more, not less, important because fewer platforms now sit in front of more mission-critical workflows. Practitioners should expect deeper coupling between AI controls, IAM, and compliance evidence.

Model size was never the decisive variable, architecture was. The article's own revision is useful because it rejects the idea that smaller models are automatically safer. Security now depends on dynamic guardrails, context-based access control, and external policy enforcement. That is the right discipline for a market where model capability and delegated access are expanding faster than organisational review cycles.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• If you are building a control model for agentic AI, start with OWASP Agentic AI Top 10 and pair it with NIST AI 600-1 Generative AI Profile for governance and evidence handling.

What this signals

Agentic AI governance is becoming a visibility problem before it becomes a policy problem. With 48% of companies unable to track and audit the data their AI agents access, the first failure is often evidence loss rather than outright compromise. That means programmes need logging, identity binding, and retrieval auditability before they can credibly talk about policy maturity.

Model consolidation will push identity teams toward narrower but deeper control points. As enterprise AI concentrates around fewer frontier platforms, practitioners will need to govern a smaller number of high-impact integrations more rigorously. The practical shift is toward contextual authorisation, external policy enforcement, and stronger review of delegated access paths.

Retrieval governance is emerging as the control that bridges AI and identity security. Once agents can query business context, the issue becomes which identities may retrieve which data for which purpose. Teams that already manage secrets, workload identity, and privileged access are best placed to extend those disciplines into AI runtime governance.

For practitioners

• Map delegated AI access paths List every external system, knowledge base, and workflow an AI system can reach, then tie each path to a specific owner, permission set, and review cycle.
• Separate prompt protection from policy enforcement Classify prompts as sensitive configuration, then enforce authorisation, logging, and approval controls outside the model so policy survives prompt leakage.
• Instrument retrieval and tool use Monitor which corpora are queried, which tools are invoked, and which identities authorise those requests so you can detect retrieval hijacking and scope creep.
• Rebuild controls around agent action evidence Require audit trails that show what the agent accessed, what it changed, and which delegated identity executed each action before production release.

Key takeaways

• AI security in 2025 shifted from prompt protection to runtime governance, because agents now act across tools, data, and workflows.
• Enterprise adoption matured quickly, with 74% of startup workloads already in production and frontier models concentrating market power.
• Identity teams need to govern delegated AI access, audit retrieval paths, and separate prompt secrecy from enforceable policy.

Key terms

• Agentic AI: AI that can decide and execute actions using tools and data sources, rather than only generating responses. In identity terms, this creates a delegated execution problem because the agent's runtime behaviour depends on the permissions, tokens, and service identities behind it.
• Retrieval Augmented Generation: A pattern where a model queries external knowledge sources before answering. For security teams, the important point is that retrieval creates a governed access path, so corpus integrity, query authorisation, and auditability become part of the control plane.
• Context-Based Access Control: An access model that changes permissions based on context such as task, identity, or environment. In AI deployments, it helps limit what data or tools an agent may reach, but only if the context is enforced outside the model and audited at runtime.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Lasso Security: 2025 Predictions vs. Reality: A Year of Measured Progress in AI Security. Read the original.