TL;DR: The core issue is not AI adoption itself, but the visibility gap around prompt-level data sharing and downstream file movement that current governance models cannot fully see, according to Cyera.
At a glance
What this is: Cyera’s new AI security capabilities focus on prompt-level visibility, file lineage, and MCP-driven security agents to address blind spots in how employees and AI agents use enterprise data.
Why it matters: This matters because IAM, NHI, and governance teams need evidence of what data was accessed, transformed, or shared after entry, not just who authenticated at the door.
By the numbers:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
👉 Read Cyera’s analysis of Browser Shield, data lineage, and MCP for enterprise AI security
Context
Enterprise AI security is no longer only about stopping model misuse at the prompt. The harder problem is tracing what happens after access is granted, especially when employees and AI agents can read, copy, transform, and re-share data across tools and files without a complete audit trail. That is an identity and governance problem as much as a data problem, because the control failure begins when access is visible but its consequences are not.
Cyera’s announcement sits in the middle of that gap: prompt-level controls on one side, lineage and investigation on the other. For IAM and security architects, the key question is whether the programme can connect human access, non-human access, and downstream data movement into one governance model. That is the practical test for AI security maturity, not whether a team has added another AI feature.
Key questions
Q: How should security teams govern employee use of public AI tools in the browser?
A: They should treat browser AI use as an identity and data-control problem, not just an acceptable-use issue. The team needs visibility into what was pasted, which account was active, whether the content was sensitive, and whether policy enforcement occurred before the data left the organisation. Controls that only inspect network events will miss the real decision point.
Q: Why do AI agents create governance problems that normal access reviews miss?
A: AI agents can read, copy, transform, and re-share data after the original access decision, so a static review of entitlements does not capture downstream impact. Governance has to measure what the agent actually did with the data, not only whether the agent was allowed to see it. That is why lineage and activity evidence matter.
Q: What breaks when security teams only track file access and not file lineage?
A: They lose sight of derivative risk. A file may be opened legitimately, but the real exposure comes when a person or agent creates a new version, shares a subset, or moves the content into another workflow. Without lineage, the programme cannot explain blast radius or prove what happened after access.
Q: How do security teams decide whether to let AI agents automate investigations?
A: They should permit automation only for tightly scoped, read-heavy tasks with clear logging and human approval for any state change. If an agent can investigate, decide, and act in the same workflow without review, the organisation has delegated operational authority, not just convenience. That changes accountability and control design.
How it works in practice
Prompt-level AI controls and browser visibility
Prompt-level controls are aimed at the moment a user or agent sends content into a public or managed AI interface. The technical problem is that once data is pasted into a browser-based model interface, legacy DLP, CASB, or identity tooling may not capture the full context of what was sent, which account type was involved, or whether the interaction was sanctioned. Browser-level visibility attempts to recover that context in real time and block sensitive content before it leaves the organisation. For AI governance, that means the control plane must see identity, content, and destination together, not as separate logs.
Practical implication: Treat browser-based AI use as an identity and data boundary, not just an application risk.
Data lineage for files and AI-driven transformation
Data lineage in this context tracks how sensitive files are copied, transformed, derived, and shared after access. That matters because AI agents and employees can create new artefacts that inherit sensitivity even when the original file never leaves approved storage. Traditional access control answers who can open a file, but lineage answers what that file becomes afterwards and where the blast radius extends. The identity link is important because both human and non-human access can trigger downstream propagation. Without lineage, governance stops at the point of entry and misses the full lifecycle of data exposure.
Practical implication: Map downstream derivatives, not just original file access, before you claim you have AI governance.
MCP security agents and delegated investigation
A Model Context Protocol server can expose enterprise data and tools to AI agents in a structured way, which makes governance both more scalable and more dangerous if the guardrails are weak. MCP is not itself the risk. The risk is that agentic workflows can combine retrieval, analysis, and action against security data at runtime, turning an assistant into an operational actor. That creates a strong need for scoped permissions, action logging, and clear separation between investigation and remediation. In practical terms, MCP expands the control surface from data visibility to delegated operational authority.
Practical implication: Before allowing MCP-connected agents, define exactly which investigations and actions they may perform.
NHI Mgmt Group analysis
Browser-level AI visibility is becoming a control prerequisite, not a nice-to-have. The security problem starts before a policy engine in the network stack has a chance to act, because employees are already pasting sensitive data into AI tools inside the browser. That means the effective control boundary has shifted closer to the user session, where identity, content, and destination all need to be evaluated together. Practitioners should treat this as a visibility requirement for modern AI adoption, not a narrow browser feature decision.
Data lineage is the missing link between access and impact. Classic IAM answers who obtained access, but it does not explain what happened after a file was read, copied, transformed, or redistributed by a person or agent. That gap matters because sensitive data often survives as derivative content long after the original access event is closed. The implication for governance programmes is that access certification alone cannot prove control over AI-era data movement.
Identity does not stop at the endpoint when AI tools reshape enterprise data. Both human and non-human access can now create new artefacts, move information across internal systems, and expand blast radius without a clean approval trail. That makes the identity model inseparable from data governance, especially where public AI tools and internal agents share the same source material. Practitioners should assume that access is only the first observable event, not the full security outcome.
Cyera MCP reflects the shift from passive visibility to delegated security action. Once security teams allow agents to investigate, answer questions, and automate remediation, the governance question becomes which actions are safe to delegate and which require explicit human control. That is a different operational model from traditional dashboards or ticketing workflows. The field should expect more security platforms to expose agent-friendly interfaces, which will force stronger policy around machine-operable authority.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- From our research: 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- For related guidance: Review Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that still show up in AI deployments.
What this signals
Prompt visibility will become a baseline expectation for AI governance. As enterprises move from experimentation to routine AI use, teams will need evidence that they can see what enters the prompt path and whether that content was sensitive. The operational signal is not whether AI exists, but whether security can observe the session before data becomes unrecoverable.
Lineage will start to matter as much as entitlement. When a document becomes a derivative, a summary, or a shared dataset, the original access decision is no longer enough to judge risk. Programmes that cannot connect access to downstream change will struggle to explain impact after an incident or audit finding.
With 98% of companies planning to deploy even more AI agents within the next 12 months, per AI Agents: The New Attack Surface report, the governance gap is widening faster than most review cycles can respond. That pushes identity teams toward continuous telemetry, scoped delegation, and tighter policy around what an AI system may do after it gains access. It also raises the bar for how much automation security teams are willing to hand to machine-operated workflows.
For practitioners
- Establish browser-level AI controls Instrument managed and unmanaged browser use so security teams can identify what data is pasted into AI tools, which identity was active, and whether blocking or alerting happened before the prompt left the organisation.
- Extend data governance to file derivatives Track copied, transformed, and shared files as first-class governance objects, because derivative artefacts can carry sensitivity long after the original document is accessed.
- Separate investigation from remediation authority If you allow MCP-connected security agents, scope them to retrieve and analyse first, then require explicit approval before any action that changes access, data state, or ticket status.
Key takeaways
- AI security now depends on observing what users and agents do with data after access, not just who authenticated.
- File lineage and browser-level visibility close different parts of the same governance gap, and both are needed for AI-era control coverage.
- Security teams should separate read-only investigation from any delegated remediation so agent authority stays bounded and auditable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Browser AI use and agent actions expand the prompt and tool-risk surface. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Data access, delegation, and lineage depend on governed non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege applies to both human sessions and AI-driven data paths. |
Map AI prompt and tool interactions to agentic application risks before allowing production use.
Key terms
- Browser-level AI visibility: Browser-level AI visibility is the ability to see and control what users paste or submit into AI tools inside the session. It matters because the data boundary often starts at the browser, before network controls or backend policies can fully inspect the content or identity context.
- Data lineage: Data lineage is the record of how information is created, copied, transformed, and shared across its lifecycle. For AI governance, it extends beyond file access to show where sensitive content went, what it became, and how far the blast radius can spread.
- MCP security agent: An MCP security agent is an AI-driven workflow that uses Model Context Protocol to query, investigate, or act on security data through defined interfaces. The key governance issue is not the protocol itself, but how much authority the agent receives and whether its actions remain auditable and bounded.
- Derivative data: Derivative data is a new artefact created from original sensitive content, such as a summary, extract, transformed file, or copied dataset. It is important because the sensitivity often follows the derivative even when the original source file stays in place.
Deepen your knowledge
AI security governance, browser-level visibility, and non-human identity control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for employees and AI agents using the same data, it is worth exploring.
This post draws on content published by Cyera: Cyera closes major gaps in securing enterprise AI. Read the original.
Published by the NHIMG editorial team on 2026-03-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
