TL;DR: The mismatch between traditional access controls and AI-layer data exposure is the core issue, not AI adoption itself; Gartner named Knostic a 2025 Cool Vendor in AI Cybersecurity Governance for its topic access governance approach, which targets AI oversharing risk across Copilot, ChatGPT, and agentic environments while integrating with Purview, DLP, and DSPM workflows, according to Knostic and Gartner.
At a glance
What this is: Knostic’s Gartner recognition centres on AI cybersecurity governance, with topic access governance positioned as a way to detect and control AI oversharing risk.
Why it matters: This matters because AI assistants and agentic systems can surface data beyond intended permissions, forcing IAM, data protection, and security teams to extend governance into the AI interaction layer.
👉 Read Knostic's Gartner Cool Vendor analysis of AI cybersecurity governance
Context
AI cybersecurity governance is becoming a distinct control problem because enterprise AI tools can expose data that users were not meant to see, even when underlying identity and data controls appear intact. In practice, the question is no longer whether a user can authenticate, but whether the AI layer can over-assemble, over-share, or over-contextualize data during a prompt or response.
Knostic’s framing reflects a broader enterprise pattern: Copilot-style assistants, enterprise chatbots, and emerging agentic systems need policy enforcement that understands business context, topic scope, and need-to-know boundaries. Traditional IAM, DLP, and DSPM controls remain necessary, but they do not by themselves resolve oversharing risk inside AI interactions.
Key questions
Q: How should security teams control AI oversharing in enterprise copilots?
A: Security teams should define topic boundaries, then enforce them at the AI interaction layer with real-time policy checks. That means testing prompts, blocking high-risk disclosures, and aligning assistant output with need-to-know rules. Access to the source data is not enough if the model can still combine permitted data into an impermissible answer.
Q: Why do traditional IAM and DLP controls fall short for AI assistants?
A: Traditional IAM and DLP were built to govern systems, files, and identities, not conversational synthesis. AI assistants can reveal sensitive information by combining multiple permitted sources into a response that exceeds the user’s intended scope. The governance problem is disclosure control, which requires policy at the AI layer.
Q: What do organisations get wrong about AI governance and need-to-know access?
A: They often assume that if a user can access a data source, the AI can safely reuse it. That is too broad for enterprise AI, because the model may infer or expose more than the user should see in that context. Need-to-know must be expressed as a disclosure policy, not only as a source-permission rule.
Q: How can teams tell whether AI oversharing controls are actually working?
A: They should measure whether realistic prompts produce restricted answers, redactions, or blocks when policy should apply. If the assistant still returns sensitive context under common follow-up questions, the control is not effective. Effective governance changes the response the user sees, not just the log entries security teams review.
Technical breakdown
Topic access governance and AI oversharing control
Topic access governance is an AI-layer access model that evaluates whether a prompt or response crosses a user’s authorized topic boundary. Unlike conventional access control, which often maps permissions to systems, files, or roles, this model tries to constrain what an AI assistant can reveal when it assembles answers from multiple sources. That matters because oversharing can occur without a classic permission failure. The user may be entitled to some data, but not to the combined inference produced by the model. In governance terms, the control point shifts from storage access to conversational exposure.
Practical implication: treat AI responses as a governed disclosure surface, not just a retrieval feature.
Why traditional IAM, DLP, and DSPM do not fully cover AI assistants
IAM establishes who can sign in and what systems they may reach. DLP and DSPM help identify and protect sensitive data, but they are not designed to reason over prompt intent, response composition, or topic-level context inside an AI workflow. That leaves a gap when an assistant can surface sensitive material from permitted data in an impermissible way. For AI governance, the control objective is not only access to the source data but also control of the disclosure outcome. This is why AI security programmes increasingly need policy enforcement at the interaction layer.
Practical implication: map AI risk to disclosure paths, not only to source-system permissions.
Inline policy enforcement for enterprise AI and agentic systems
Inline policy enforcement places a control proxy between the user and the AI service so prompts and outputs can be evaluated in real time. That makes it possible to block high-risk requests, redact responses, or prevent the model from returning information that violates policy. For agentic systems, this becomes more important because the system may chain tool calls and reuse context across steps. The architectural point is simple: if the AI layer can decide what to reveal, then governance must inspect that decision before it reaches the user.
Practical implication: put enforcement where the AI interaction happens, not only where data is stored.
Threat narrative
Attacker objective: The objective is to elicit sensitive business, operational, or personal data through AI-generated over-disclosure rather than through a direct permission bypass.
- Entry begins with a user interacting with an AI assistant that has access to enterprise context and connected data sources.
- Escalation occurs when the assistant assembles information from multiple authorised sources into a response that exceeds the user’s topic boundary.
- Impact follows when sensitive data is exposed in a way that bypasses intended need-to-know restrictions and creates compliance or breach exposure.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- McKinsey AI platform breach — McKinsey AI platform hack exposed 46M chats and sensitive data.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI cybersecurity governance is now a disclosure-control problem, not just an authentication problem. The article shows the market moving from sign-in control toward prompt, topic, and response governance. That shift matters because the exposure point is the AI conversation itself, where data can be recombined and revealed even when the user’s base permissions are valid. Practitioners should treat this as an AI-layer access control issue, not a tooling preference.
Topic access governance names a real gap in enterprise control design. The useful concept here is not simply oversharing detection, but the idea that an AI system can expose more than the user’s role should allow. That creates a named governance boundary around topic scope, which is more operationally meaningful than generic AI risk language. Practitioners should define topic boundaries as a policy object, not leave them implicit in data classification alone.
Need-to-know principles do not disappear in AI environments, but they must be re-expressed. Traditional access models are built around data objects and applications, while AI assistants act as synthesis layers. That means the governance question changes from “can the user reach the data?” to “can the model reveal the data in context?” Practitioners should align AI governance with disclosure intent, not just data location.
Agentic systems will intensify the governance gap because they compound context across actions. Once an AI system can retrieve, combine, and act on information over multiple steps, the chance of policy drift increases. The issue is not only accidental oversharing but also cumulative exposure through chained interactions. Practitioners should assume that conversational access boundaries will be stressed further as agentic workflows mature.
Platform integration is necessary, but it is not the control objective. Integrating with Purview, DLP, or DSPM can improve visibility, yet the real objective is enforcing policy at the moment of disclosure. That distinction matters for governance design because visibility without enforcement still leaves an exposure path open. Practitioners should measure whether controls change user-visible outcomes, not just whether they generate alerts.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
- For a broader control model, see OWASP Agentic AI Top 10 for the risk categories that make topic access governance harder to ignore.
What this signals
Topic access governance will become a core design requirement as AI assistants shift from search helpers to decision-support layers. Teams that only integrate DLP or DSPM will still miss conversational over-disclosure, so the programme signal is whether policy can shape the response before the user sees it. For standards alignment, the NIST AI Risk Management Framework remains a useful governance anchor.
With 33% of organisations already reporting AI agents accessing data beyond intended scope, according to the AI Agents: The New Attack Surface report, security leaders should expect audit, legal, and compliance teams to ask for evidence of topic-based enforcement rather than generic AI monitoring. The near-term programme question is whether controls can prove what the model was allowed to reveal, not just what it was allowed to query.
For practitioners
- Define topic-level access boundaries Map sensitive business topics, regulated data classes, and restricted operational context into explicit policy rules for AI assistants and chatbots. Use those boundaries to decide what the model may reveal, not just what the user may open in a backend system.
- Place enforcement in the AI interaction path Use an inline proxy or policy layer to inspect prompts and responses before the model returns output. That is the control point that can block high-risk disclosures, redact sensitive material, or stop a response that crosses an approved topic boundary.
- Test oversharing with realistic prompts Run prompt-based tests that mirror how employees actually ask questions, including vague follow-ups and synthesis requests. Measure whether the assistant reveals information that should remain outside the requester’s need-to-know scope.
- Extend DLP and DSPM into AI workflows Treat DLP and DSPM as supporting controls, then verify that they are wired into the places where AI systems assemble and return data. If they stop at storage, they will miss conversational exposure.
- Review agentic exposure paths separately Assess any AI workflow that can chain retrieval, reasoning, and tool use as a distinct governance domain. Those systems can expand exposure across steps, so one-time access checks are not enough.
Key takeaways
- AI governance fails when teams stop at authentication and forget disclosure control inside the assistant.
- Topic access governance addresses a real enterprise gap by constraining what the model may reveal, not just what the user may open.
- Practitioners should move enforcement into the AI interaction path if they want need-to-know policy to survive copilots and agentic workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Topic access governance addresses oversharing and prompt-driven exposure in agentic and assistant workflows. | |
| NIST AI RMF | GOVERN | The article is about governance for AI data exposure and accountability. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to the article's need-to-know model for AI. |
| NIST Zero Trust (SP 800-207) | The article extends zero trust thinking into AI disclosure decisions and access boundaries. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the governing control concept behind topic access governance. |
Treat AI assistants as policy-enforced access points that continuously validate disclosure eligibility.
Key terms
- Topic Access Governance: A control approach that limits what an AI system may reveal based on the user’s topic-level entitlement, not only source data permissions. It tries to prevent oversharing by governing conversational disclosure, which is a different problem from standard file or application access control.
- AI Oversharing: The exposure of information through an AI assistant that exceeds what the user should reasonably receive in that context. The data may be technically accessible somewhere in the environment, but the model combines it into a response that breaks need-to-know expectations.
- Inline Policy Enforcement: A real-time control that inspects prompts and outputs before an AI system returns a response. It can block, redact, or modify content when the interaction violates policy, making it one of the few ways to influence disclosure at the moment it occurs.
- Need-to-Know Access: An access principle that allows visibility only to information required for a specific task or role. In AI environments, the rule must govern not just data retrieval but also what the model is permitted to synthesize and disclose in response to a prompt.
What's in the full analysis
Knostic's full article covers the operational detail this post intentionally leaves for the source:
- How topic access governance is positioned across Copilot, ChatGPT, and enterprise AI assistants
- Specific integrations with Microsoft Purview, DLP, and DSPM workflows
- Practical examples of inline policy enforcement for blocking high-risk prompts and responses
- The vendor's own framing of AI security, compliance, and governance alignment
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
Published by the NHIMG editorial team on 2025-10-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org