TL;DR: Nearly half of organisations are already deploying GenAI in production, yet only 19% feel highly confident in their security posture and 49% remain highly concerned about vulnerabilities, according to Lakera’s 2025 GenAI Security Readiness Report. The readiness gap is now operational, not theoretical, and it is widening as runtime attacks, integration complexity, and skill shortages outpace existing governance models.
At a glance
What this is: This report shows that enterprise GenAI adoption is accelerating faster than security maturity, leaving many organisations exposed to runtime risks they are not yet prepared to govern.
Why it matters: IAM, security architecture, and governance teams need to treat GenAI as an access and control problem, because production use changes how privileges, integrations, and trust boundaries behave across NHI, autonomous, and human workflows.
By the numbers:
- Only 19% of organisations describe their GenAI security posture as highly confident.
- 15% of organisations reported a GenAI-related security incident in 2025.
- 39% of respondents cite a shortage of skilled AI-security talent as their biggest challenge.
👉 Read Lakera’s 2025 GenAI Security Readiness Report
Context
GenAI security readiness is now a governance problem, not just a model-safety problem. When production deployments move into customer touchpoints, developer pipelines, and internal workflows, the security team must control access, integration boundaries, and runtime behaviour rather than assume static policy is enough.
The central issue is that many enterprise controls were designed for systems that do not independently reshape their own task context during execution. Once GenAI becomes operational, the programme has to account for prompt injection, data leakage through integrations, and the organisational gap between adoption speed and security capability.
For IAM and security leaders, this is a familiar pattern with a new actor type. The hard part is no longer whether AI exists in the stack, but whether the identity and access model can keep up with how that AI is used in production.
Key questions
Q: How should security teams govern GenAI systems in production workflows?
A: Treat production GenAI as an access-governance problem, not just a model-risk problem. Security teams should inventory every connector, token, service account, and data source the system can reach, then scope privileges to the minimum needed for the workflow. Governance must also cover prompt injection testing, logging, and containment paths when the system behaves unexpectedly.
Q: Why do GenAI systems create more security risk once they are connected to business data?
A: Because the risk moves from model behaviour to delegated access. Once a GenAI system can retrieve data or trigger actions, any flaw in prompts, integrations, or credentials can become data leakage or unauthorised execution. The practical issue is not AI alone. It is the trust chain around AI.
Q: What do security teams get wrong about GenAI readiness?
A: They often confuse adoption with maturity. A team can have visible GenAI deployments and still lack the architecture, skills, and operational controls needed to govern them safely. Readiness requires evidence that controls work in live workflows, especially where external data, internal APIs, and privilege-bearing credentials intersect.
Q: How can organisations tell whether their AI security controls are actually working?
A: They should look for enforcement evidence, not policy statements. Useful signals include blocked unsafe actions, tested prompt-injection paths, constrained connector permissions, reviewed service identities, and a documented response path when the workflow behaves outside expectations. If those artefacts do not exist, readiness is assumed rather than demonstrated.
Technical breakdown
Prompt injection and system instruction override
Prompt injection is an input manipulation technique that persuades a model or assistant to ignore its intended instructions and follow attacker-supplied ones instead. The risk is not just bad output. In connected environments, the model may also trigger downstream actions, expose data, or change the sequence of operations it was supposed to follow. That makes prompt injection an application-layer control failure as much as a content-safety issue. It becomes more dangerous when the model is embedded in workflows with tool access or delegated permissions.
Practical implication: isolate model instructions from untrusted input and test whether the system can be steered into unsafe actions.
Integration risk in GenAI-connected workflows
GenAI systems become materially harder to secure when they are connected to internal systems, external APIs, and developer pipelines. The security exposure is often not the model itself but the trust chain around it: credentials, connectors, data retrieval, and action execution. If integrations are over-permissioned, a model compromise or misfire can turn into data exposure or unauthorised operational change. This is why GenAI governance overlaps with NHI governance, secrets management, and privilege scoping.
Practical implication: review every connector, token, and workload identity that lets a GenAI system reach business data or operational tools.
Compound readiness gap in AI security operations
A compound readiness gap appears when organisations have adoption pressure but lack both the skilled staff and the architecture to secure what they have built. That means visibility may improve faster than enforcement, and awareness may outpace containment. In practice, teams know the risk exists, but cannot consistently evaluate, test, or operationalise controls across models, apps, and workflows. The result is security debt that accumulates as AI spreads into production.
Practical implication: measure whether your AI security programme can actually test and enforce controls, not just document them.
NHI Mgmt Group analysis
GenAI security readiness is now an identity governance problem. Once GenAI is embedded in production workflows, the question is no longer whether the model is safe in isolation. The real issue is whether access, integration, and runtime control can keep pace with how the system is used. That puts IAM, NHI governance, and AI security operations into the same control plane, because delegated capability is what turns AI from a feature into an exposure.
Runtime confrontation has replaced static assurance as the operating reality. The report’s shift from privacy dominance to adversarial misuse and agent risk shows that security teams are no longer dealing with a one-time configuration problem. They are dealing with behaviour that changes during execution, which means assurance must be continuous and contextual. Practitioners should treat GenAI as a live control surface, not a one-time deployment decision.
Compound readiness gap: adoption outpaces both architecture and skill. The report shows that organisations can be willing to deploy GenAI without being able to secure it at the same pace. That combination creates an exposed middle ground where visibility exists, but operational enforcement does not. The implication for programme owners is straightforward: maturity claims are not credible if the team cannot evidence testing, containment, and policy enforcement across live AI workflows.
GenAI security will increasingly converge with secrets and workload identity governance. The most consequential failures will often sit around the model rather than inside it, especially where connectors, APIs, and service credentials define what the system can reach. That means the next stage of AI security maturity will be measured by how well teams govern the identities and privileges surrounding the model. Practitioners should expect AI security, IAM, and NHI work to merge into one operational discipline.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- In the same research, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a useful reminder that delegated access is where many identity programmes lose control.
- For a deeper lifecycle lens, NHI Lifecycle Management Guide helps teams think through ownership, rotation, and offboarding when machine and AI identities expand faster than governance.
What this signals
Compound readiness gap: organisations are not only struggling to adopt GenAI safely, they are also struggling to staff and structure the work needed to govern it. The control problem will increasingly sit in the seams between IAM, application security, and AI operations, where ownership is least clear and failures are hardest to detect.
The next year will favour teams that can prove containment across live workflows, not teams that can describe policy intent. That means connector review, service identity scoping, and prompt-injection testing will become part of routine assurance rather than specialist AI exercises.
As GenAI moves closer to business-critical execution, the identity perimeter becomes wider and more dynamic. Teams that already manage NHI sprawl, secret exposure, and privileged integrations will have a head start, while others will need to build those habits under production pressure.
For practitioners
- Map every GenAI integration boundary Inventory the connectors, APIs, service accounts, and tokens that let GenAI systems reach sensitive data or execute actions. Classify each dependency by privilege level and business impact so you can see where a model issue becomes an access issue.
- Test for prompt injection in business workflows Red-team the actual workflow, not just the model, by checking whether untrusted input can override instructions, trigger data exposure, or alter downstream actions. Focus on the path from prompt to tool invocation and from tool invocation to business effect.
- Tighten credentials around GenAI-connected systems Review whether the service identities, tokens, and API keys supporting GenAI workflows are scoped to the minimum needed and are monitored separately from human access. Treat those credentials as production NHI assets with clear ownership and removal criteria.
- Measure readiness with enforcement evidence Ask whether your programme can prove control effectiveness across live AI usage, not just document policy. Track test coverage, blocked actions, connector permissions, and incident response paths to show whether security controls actually work in production.
Key takeaways
- The report shows that GenAI adoption is already ahead of organisational readiness, which turns security into a live operational gap rather than a future planning issue.
- The biggest risk is not model capability alone, but the identity, credential, and integration chain that lets GenAI reach real systems and data.
- Practitioners should measure readiness by enforcement evidence, because policy without tested control is not a defensible security posture.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Prompt injection and tool misuse are central risks in the report. |
| OWASP Non-Human Identity Top 10 | NHI-03 | GenAI connectors rely on service credentials and tokens that require lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | The report’s readiness gap maps to access control and permission governance. |
Inventory and govern every non-human credential supporting GenAI workflows, then rotate and offboard by ownership.
Key terms
- GenAI security readiness: The extent to which an organisation can safely deploy generative AI in production without losing control over data, access, or downstream actions. It combines policy, architecture, skills, and operational testing, because a secure model is not enough if the surrounding workflow remains open to abuse.
- Prompt injection: A manipulation technique that uses crafted input to steer a model away from its intended instructions. In production systems, the risk extends beyond bad answers because the model may also expose data, call tools, or trigger actions that were never meant to occur.
- Compound readiness gap: A condition where an organisation has AI adoption pressure but lacks both the staff and the technical architecture to secure it properly. The gap matters because visibility, policy, and execution can advance at different speeds, leaving controls documented but not enforceable.
- Delegated access chain: The set of identities, credentials, integrations, and permissions that allow a GenAI system to reach data or perform actions. It matters because risk often appears in the chain around the model, where service identities and APIs turn model behaviour into business impact.
What's in the full report
Lakera's full report covers the operational detail this post intentionally leaves for the source:
- Role-based breakdowns of concern, confidence, and preparedness across respondents.
- The underlying survey findings that separate adoption pressure from security maturity.
- Visual charts that show how risk perception shifts across AI security functions.
- Practitioner-facing detail on the incidents and workflow patterns behind the headline numbers.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-11-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org