TL;DR: As enterprises move from API experimentation to production inference, security risk shifts to the layer where prompts, retrieval, tools, agents, and customer data intersect, according to SentinelOne. The next AI architecture is multi-model and infrastructure-heavy, so governance must move with it.
At a glance
What this is: This is SentinelOne’s analysis of why production inference is becoming the core enterprise AI control plane and where security pressure concentrates.
Why it matters: It matters because IAM, data, cloud, and AI security teams now have to govern model routing, tool use, and data flow as one operational surface rather than separate controls.
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
👉 Read SentinelOne's analysis of secure enterprise inference and AI control planes
Context
Inference is the production layer where AI systems turn from experimentation into operational use, and that shift changes the security model. Once prompts, retrieval systems, tools, and data flows converge in one runtime, the question is no longer only model access. It becomes who can use which model, what data it can see, and what actions it can trigger.
For identity and access teams, this is the point where AI governance starts to overlap with NHI and agentic AI governance. Model endpoints, agents, and workflow tooling all need explicit control boundaries, because each one can become a path to over-privilege, data exposure, or unsanctioned action. That starting point is now becoming typical rather than exceptional in enterprise AI programmes.
Key questions
Q: How should security teams govern AI inference in production environments?
A: Security teams should treat inference as a production control plane, not a convenience layer. That means defining ownership, logging, data boundaries, tool permissions, and approval gates for every model path that touches enterprise workflows. If the model can retrieve data or trigger actions, its access scope needs the same discipline applied to other privileged systems.
Q: Why do multi-model AI architectures create new access and data risks?
A: Multi-model architectures create risk because governance becomes fragmented across vendors, model types, and runtime environments. Each routing choice introduces a different trust assumption, while each retrieval path or tool call can expose additional data or privileges. The more flexible the stack, the more important explicit entitlement rules become.
Q: What breaks when prompt injection reaches a model that can call tools?
A: Prompt injection becomes much more serious when a model can act, not just generate text. A manipulated instruction can redirect retrieval, trigger workflow execution, or expose data that the user was never meant to access. The failure is usually not the prompt itself, but the absence of tight tool and data scoping around the model.
Q: How do identity teams fit into AI governance for inference workloads?
A: Identity teams need to govern the AI system as a non-human participant in the workflow. That includes service identity, access scope, approval, monitoring, and revocation for the runtime components that make inference possible. When those identities are invisible, AI governance becomes difficult to audit and easy to over-permit.
Technical breakdown
Why inference changes the security model for enterprise AI
Inference is the phase where a model is asked to generate, summarise, classify, retrieve, or act on live enterprise context. Unlike training, it is continuous, user-driven, and connected to production data and workflows. That means the risk surface is not only the model output. It includes prompt input, retrieved content, tool invocation, and the infrastructure that hosts the request path. Security teams have to think in terms of runtime policy, data access, and decision boundaries rather than only model selection or vendor trust.
Practical implication: treat inference as a protected production service with policy, logging, and access boundaries, not as a lightweight application feature.
How multi-model architectures expand AI security and identity risk
A blended model stack lets organisations route workloads across frontier APIs, open source models, fine-tuned models, and dedicated inference infrastructure. That flexibility helps with cost and performance, but it also fragments governance. Every additional model source introduces different provenance, behaviour, and control assumptions. Every routing decision creates a question about identity, entitlement, and data handling. In practice, the governance problem resembles multi-cloud sprawl, except the unit being governed is model usage and action scope rather than only infrastructure location.
Practical implication: define approval, routing, and entitlement rules for each model class before teams start mixing providers in production.
Why prompt injection and unsafe tool use become control-plane issues
When models can call tools, retrieve internal content, or trigger workflow actions, the AI system is no longer just generating text. It is participating in enterprise execution. Prompt injection then becomes a control-plane problem because malicious or unintended instructions can redirect model behaviour toward unauthorised data access or action execution. The same is true for overbroad retrieval permissions and weak runtime policy. In that setup, identity governs not just who logs in, but which AI system can do what, under which conditions, and with which data scope.
Practical implication: scope retrieval permissions, tool access, and workflow privileges as tightly as any other privileged runtime.
Threat narrative
Attacker objective: The attacker seeks to steer production AI into revealing data, executing unsafe actions, or widening access through the inference layer.
- Entry occurs when an attacker influences the inference path through crafted prompts, malicious retrieved content, or an exposed model endpoint.
- Escalation follows when the model has broad tool, data, or workflow permissions and turns an input manipulation into unauthorised action or disclosure.
- Impact appears as data leakage, unsafe output, or misuse of connected enterprise systems through the AI control plane.
NHI Mgmt Group analysis
Inference is becoming the new AI control plane, and that shifts governance from model choice to runtime authority. Once a model can retrieve data, call tools, and influence workflows, security teams are governing execution, not just inference quality. That changes the unit of control from vendor selection to access boundaries, logging, and policy enforcement. Practitioners should treat AI runtime authority as a first-class governance domain.
Multi-model architecture creates AI governance debt if routing rules are left implicit. Blended stacks are attractive because they optimise cost, latency, and model fit, but they also multiply provenance and trust decisions. Without explicit policy, organisations end up with model sprawl that is harder to audit than classic application sprawl. The field now needs governance that follows the workload across models, not just across infrastructure.
Prompt injection becomes more dangerous when the model is allowed to act. The risk is no longer limited to unsafe text generation. If the same runtime can reach internal systems or trigger downstream actions, a manipulated input can become a delegated action chain. That makes agent permissions, retrieval scope, and tool entitlements the real security boundary. Teams should govern model action scope as tightly as privileged human access.
Identity governance must expand to cover AI systems as operational actors, even when they are not autonomous. An inference stack may not meet a strict autonomous-agent definition, but it still behaves as a persistent non-human participant in enterprise workflows. That means ownership, approval, monitoring, and revocation need to exist for the AI system itself. The practitioners who separate AI security from identity governance will miss the control point that now matters most.
Secure enterprise inference will be won by control, not by model variety alone. The market is moving toward flexible model selection, but flexibility without observability becomes risk accumulation. Security leaders should expect the next wave of AI platform competition to revolve around policy, runtime monitoring, and access control across the inference stack. The practical conclusion is simple: model diversity is only safe when governance is portable.
What this signals
Inference governance will increasingly be measured by whether teams can prove who, or what, is allowed to act at runtime. The practical boundary is no longer the model catalog but the live permission set around retrieval, tools, and workflows. Programmes that already map service identities and access scope into governance reviews will adapt faster than those still treating AI as an isolated application layer.
AI governance debt will accumulate wherever model routing, prompt handling, and entitlement decisions are left to individual teams. That is the point where policy becomes inconsistent and incident response becomes slow. The next operational priority is to make inference policy visible in the same way access reviews expose human and non-human privilege.
For readers building AI controls now, the strongest signal to watch is whether runtime policy can move with the workload. If access rules, logging, and approval logic do not travel across frontier APIs, open source models, and dedicated inference infrastructure, the security model will fracture as fast as adoption grows.
For practitioners
- Define inference-layer ownership Assign a named control owner for inference policy, model routing, retrieval permissions, and workflow actions so the runtime is governed like any other production control plane.
- Scope model and tool privileges Limit each model or agent to the minimum retrieval sources, tools, and execution paths required for its use case, and review those entitlements alongside privileged access.
- Instrument prompt and response logging Capture prompts, retrieved context, model outputs, and tool calls in a way that supports investigation, drift detection, and policy tuning without exposing unnecessary sensitive data.
- Separate model selection from approval Require explicit approval for new model classes, open source variants, and dedicated inference deployments before they enter production routing logic.
- Link AI runtime controls to identity governance Map AI systems, service accounts, and orchestration layers into identity reviews so access changes, offboarding, and exception handling are visible in one governance process.
Key takeaways
- Enterprise AI is moving from model access to inference governance, where runtime permissions matter more than API availability.
- Multi-model architectures improve flexibility, but they also multiply provenance, access, and data-handling decisions that security teams must now control.
- Identity, policy, and runtime monitoring need to converge around AI systems if organisations want speed without losing control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article covers AI runtimes that can retrieve data and invoke tools. | |
| NIST AI RMF | GOVERN | Governance is central because the article focuses on runtime authority and ownership. |
| NIST CSF 2.0 | PR.AC-4 | Access control is needed for model endpoints, tools, and retrieval paths. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control theme behind model, tool, and workflow scoping. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0009 , Collection; TA0001 , Initial Access | Prompt injection and exposed endpoints create attack paths through inference systems. |
Map inference abuse to ATT&CK tactics and harden prompt, retrieval, and tool pathways against manipulation.
Key terms
- Inference Layer: The inference layer is the production environment where an AI model handles live requests, retrieves context, and generates outputs. In enterprise settings it becomes a security boundary because prompts, data, tools, and workflow actions all intersect there.
- Model Routing: Model routing is the practice of directing workloads to different models based on factors such as cost, latency, capability, and control requirements. It matters for security because every routing decision changes the trust and governance assumptions around data handling and runtime behaviour.
- Prompt Injection: Prompt injection is a manipulation technique where hidden or malicious instructions influence how an AI system responds or acts. It becomes especially risky when the model can access internal data or tools, because the attack can shift from bad output to unauthorised action.
- AI Runtime Policy: AI runtime policy is the set of rules that governs what an AI system may retrieve, generate, and execute during live operation. It translates governance into enforcement by constraining data access, tool use, and workflow permissions at the point of action.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- The rationale behind the SentinelOne and Together AI investment partnership and how each side positions its role in secure inference.
- A deeper breakdown of prompt security, Purple AI, and the control points the vendor associates with protecting AI usage.
- The infrastructure security scope around cloud posture, workload behaviour, data movement, and runtime activity in dedicated inference environments.
- The vendor's view of how multi-model deployment changes visibility and policy requirements for enterprise AI.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and lifecycle control. It is suited to practitioners who need to connect identity governance with modern AI and infrastructure risk.
Published by the NHIMG editorial team on 2026-07-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org