AI TRiSM is reshaping how enterprises govern GenAI risk

At a glance

What this is: This is an analysis of Gartner’s AI TRiSM framing and what it means for governing GenAI risk, shadow AI, and runtime policy enforcement.

Why it matters: It matters because IAM, NHI, and security teams need controls that can govern AI behaviour in motion, not just inventory it after the fact.

By the numbers:

• Through 2026, at least 80% of unauthorized AI transactions will be caused by internal violations of enterprise policies concerning information oversharing, unacceptable use or misguided AI behavior rather than malicious attacks.
• By 2027, AI TRiSM as a service will emerge as a viable outsourced service option for enterprises that do not have the resources to implement their own AI TRiSM services.

👉 Read Lasso Security's analysis of Gartner's AI TRiSM market guide

Context

AI TRiSM is the set of controls enterprises use to make AI systems trustworthy enough to operate inside policy. In practice, that means discovery, policy enforcement, runtime inspection, and governance over outputs, data use, and model behaviour across internal and third-party AI applications.

The identity security question is not whether organisations will use AI. It is whether they can govern AI as a controllable runtime actor, especially when shadow AI, embedded models, and delegated access patterns blur the line between application security and identity governance.

Key questions

Q: How should security teams govern AI systems that access enterprise data?

A: Security teams should govern AI systems as runtime actors, not just as software tools. That means inventorying each use case, mapping its data access, binding it to policy enforcement points, and assigning clear ownership. If the system can read, transform, or forward sensitive data, it needs identity and access controls equal to its reach.

Q: Why do AI systems create governance problems for IAM and NHI teams?

A: AI systems create governance problems because they can consume identities, secrets, and data in ways that are dynamic and hard to bound at design time. IAM still matters, but it is no longer enough to approve access once and assume behaviour stays stable. Runtime policy enforcement becomes part of the identity control model.

Q: When should organisations prioritise runtime AI controls over static approvals?

A: Organisations should prioritise runtime AI controls whenever a system can generate outputs, call tools, or move data without a human approving each step. Static approvals can document intent, but they cannot stop oversharing or unsafe execution once the workflow is live. The stronger the delegation chain, the more runtime controls matter.

Q: What should teams do if they discover shadow AI in the business?

A: Teams should first identify who owns the tool, what data it touches, and which identities it uses. Then they should either bring it under policy and lifecycle control or remove access to enterprise data until governance is in place. Discovery without containment simply confirms the scale of the gap.

Technical breakdown

What AI TRiSM means for runtime policy enforcement

AI TRiSM is not a single product category. It is a control stack for discovering AI usage, setting policy, inspecting runtime behaviour, and enforcing guardrails across model calls and downstream actions. Gartner’s framing matters because it treats AI governance as an operational discipline, not a documentation exercise. That shifts the emphasis from static approval to continuous control over prompts, outputs, and data movement. For identity teams, the important point is that access to AI systems has to be governed like any other high-risk execution path, with observable controls at the point of use.

Practical implication: map AI systems to runtime policy checkpoints instead of relying only on procurement review or model approval.

Shadow AI and embedded models expand the identity surface

AI risk is not confined to sanctioned copilots. Embedded models in third-party applications, internal experiments, and unmanaged tools create a wider identity surface where users, service accounts, and AI-driven workflows can all interact with sensitive data. That makes discovery and inventory foundational. If you do not know where AI is present, you cannot govern who or what is allowed to invoke it, feed it data, or act on its outputs. This is why TRiSM belongs in the same conversation as NHI governance and application access control.

Practical implication: build an inventory of AI-enabled systems, then connect each one to the identities and secrets it uses.

Why agentic AI changes the control problem

When AI systems can initiate actions, choose tools, and continue execution without human approval at each step, they stop behaving like ordinary software integrations. At that point, policy must govern not only the model response but also the delegated execution chain. This is where identity governance, secrets management, and trust boundaries converge. Traditional controls assume stable ownership and bounded use. Agentic behaviour turns those assumptions into live dependencies that can fail at runtime if access, data scope, or tool permissions are too broad.

Practical implication: evaluate whether any AI workflow can trigger actions beyond its original request and treat that as a governance boundary.

Threat narrative

Attacker objective: The objective is to exploit weak AI governance boundaries so data, decisions, or actions move outside enterprise policy.

1. Entry occurs when users, third-party apps, or internal teams introduce AI tools into business workflows without central visibility or policy review.
2. Escalation happens when those tools receive overbroad data access, uncontrolled prompts, or delegated permissions that exceed the original business need.
3. Impact emerges as policy violations, oversharing, compliance failures, and unwanted model behaviour create security and governance exposure at scale.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI TRiSM is becoming the governance layer that traditional IAM never covered. IAM can authenticate users and grant access, but it does not by itself decide whether an AI system should be allowed to generate, transform, or transmit regulated data at runtime. That gap is now a standing enterprise control problem, not an edge case. Practitioners should treat AI governance as an extension of identity governance, not a separate AI-only initiative.

Shadow AI makes discovery a governance control, not just an inventory exercise. If organisations cannot see which embedded models, internal tools, and third-party applications are already using AI, every other control becomes partial. The issue is not only visibility for compliance. It is the inability to scope identity, secrets, and policy enforcement to the real AI surface. Practitioners should assume undiscovered AI use exists until proven otherwise.

Runtime enforcement is the decisive control when AI behavior can change faster than review cycles. Static policy documents do not stop a model from oversharing, a workflow from invoking the wrong tool, or a user from routing data through an unmanaged AI service. The control plane has to inspect and constrain actions as they happen. Practitioners should prioritise enforcement points that sit on the execution path, not after the fact.

AI trust, risk and security management is converging with NHI governance because AI systems depend on identities, secrets, and delegated access. Even when the model is the visible risk, the real control surface often sits in API keys, service accounts, tokens, and third-party connections. Gartner’s TRiSM framing validates what identity teams already know: if access is not controlled, model governance will not hold. Practitioners should align AI controls with NHI lifecycle management and least-privilege principles.

Runtime governance gap: The article shows that the market is moving toward controls that can inspect and enforce policy during AI execution, because pre-approval models cannot keep up with AI-driven behaviour. That means the enterprise security baseline is shifting from trust in the design phase to control at the point of action. Practitioners should treat that as a category change, not a feature request.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Forward pivot: For a deeper lifecycle lens on how to manage non-human access across provisioning, rotation, and offboarding, see NHI Lifecycle Management Guide.

What this signals

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the AI governance problem is already an identity visibility problem before it becomes an AI risk problem. That is why TRiSM-style controls have to sit alongside identity discovery and access governance, not replace them.

Runtime governance gap: AI programmes fail when teams treat policy as a document instead of a control surface. The practical shift is to connect AI use cases to the same lifecycle discipline used for service accounts and secrets, including ownership, scope, and offboarding.

AI TRiSM will increasingly converge with NHI governance and identity lifecycle management because AI systems rely on the same primitives, access, tokens, and delegated connections. Practitioners should plan for cross-domain governance rather than separate AI and IAM workstreams.

For practitioners

• Inventory every AI-enabled workflow Create a single register of sanctioned copilots, embedded models, internal GenAI apps, and third-party AI features. Link each one to its business owner, data sources, and connected identities so shadow AI can be surfaced before enforcement is attempted.
• Bind AI use cases to runtime policy checkpoints Insert inspection and enforcement controls at prompt entry, data egress, and tool invocation points. The goal is to stop oversharing and unauthorised action while the session is still active, not after logs are reviewed.
• Treat AI service accounts as governed NHIs Apply lifecycle management to the secrets and service accounts that let AI systems call APIs, fetch data, or trigger workflows. Review privilege, rotation, and offboarding together so access does not outlive the use case.
• Set escalation criteria for unmanaged AI behaviour Define what counts as policy drift, unsafe output, or unauthorised data use, then route those events into security operations. Teams need clear intervention points before a model’s behaviour becomes an enterprise incident.
• Evaluate whether AI controls are execution-path controls Ask whether each safeguard can still work when an AI system changes context, chooses a tool, or routes data differently within the same session. If not, the control is advisory rather than enforceable.

Key takeaways

• AI TRiSM is best understood as the control layer that closes the gap between AI capability and enterprise policy.
• The scale of unauthorized AI use is being driven more by internal policy violations than by external attackers, which changes where teams should focus detection and enforcement.
• Identity teams should anchor AI governance in runtime enforcement, shadow AI discovery, and lifecycle control for the identities that power AI workflows.

Key terms

• AI TRiSM: AI Trust, Risk and Security Management is the control discipline for making AI systems trustworthy enough for enterprise use. It combines discovery, policy, runtime inspection, and enforcement so organisations can govern outputs, data use, and connected workflows instead of relying on approval alone.
• Shadow AI: Shadow AI is AI use that exists outside central governance, whether through unsanctioned tools, embedded features, or untracked experiments. It matters because hidden AI use can still touch sensitive data, invoke identities, and create policy exposure even when the business does not formally approve it.
• Runtime Enforcement: Runtime enforcement is the ability to apply security policy while a system is actively making decisions or moving data. In AI governance, it means controls must inspect prompts, outputs, tool calls, and data flows as they happen, because post-event review cannot prevent an unsafe action already taken.
• Delegated Access: Delegated access is permission granted to one system or identity to act on behalf of another within defined limits. For AI workflows, it becomes risky when the delegated scope is broader than the task, poorly time-bound, or not tied to a lifecycle process that removes access when the use case ends.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Lasso Security: Gartner names Lasso Security as a representative vendor in AI TRiSM. Read the original.