TL;DR: Extending visibility and policy controls across browsers, desktop apps, APIs, and MCP-connected AI workflows, including real-time detection of prompt injection, data leakage, and shadow AI use, SentinelOne says its definitive agreement to acquire Prompt Security will do so. The deal underscores that governing employee AI use now requires runtime inspection, not policy documents alone.
At a glance
What this is: SentinelOne's acquisition of Prompt Security is framed around extending real-time visibility and control over employee GenAI use, shadow AI, and MCP-connected workflows.
Why it matters: For IAM, security, and governance teams, this matters because AI usage is increasingly behaving like a managed access problem, with prompts, data exposure, and tool delegation creating new control points.
👉 Read SentinelOne's acquisition announcement for Prompt Security and AI governance
Context
AI adoption has moved faster than most governance models, especially where employees use GenAI tools outside formal IT channels. The practical issue is not whether AI is useful, but whether organisations can see what data enters those tools, where outputs go, and which workflows now operate beyond standard security oversight.
This is where the identity angle becomes explicit. AI agents, custom assistants, and MCP-connected tools can act like non-human identities in practice because they access data, invoke services, and persist across sessions. That creates a control problem for IAM, PAM, and data security teams that cannot be solved by application approval alone.
Key questions
Q: How should security teams govern GenAI applications without breaking usability?
A: Start by mapping the request path and applying controls where risk appears, not only at login. Use role and context signals, input validation, output filtering, and audit logging together so guardrails block unsafe actions without forcing every request through the same heavy review path.
Q: Why do MCP-based AI agents create new IAM risk?
A: MCP-based agents create IAM risk because they can act across multiple services with delegated permissions, often without a human approving each step. That turns a single identity into a chain of potential actions, so one mis-scoped token or server can expose far more than the original request intended. Lifecycle control and least privilege become mandatory.
Q: What do organisations get wrong about shadow AI governance?
A: They often try to block unsanctioned tools at the network layer without changing employee behaviour or providing an approved alternative. That pushes use to personal devices and leaves the enterprise blind. Discovery and policy-guided redirection are more useful than simple denial if the goal is control rather than displacement.
Q: Who is accountable when sensitive data leaks through consumer AI tools?
A: Accountability sits with the organisation’s identity, data protection, and security governance owners, because the risk comes from unmanaged access paths and weak content controls. If the enterprise permits use without federation, classification, and enforcement at the browser, the responsibility cannot be shifted to the employee alone.
Technical breakdown
Shadow AI discovery across browsers, desktops, and APIs
The core technical problem is that modern AI use is fragmented across unmanaged entry points. Browser extensions, desktop assistants, terminal tools, APIs, and custom workflows all generate prompts and responses that may never pass through a central control plane. Discovery therefore has to be runtime based, not inventory based. A live inventory can show which tools are being used, what context is entering them, and whether sanctioned and unsanctioned applications are both active in the same environment.
Practical implication: security teams need discovery that follows usage at runtime, not only approved app lists.
Prompt injection, leakage, and inline policy enforcement
AI-specific abuse often happens in the interaction layer. Prompt injection can steer an assistant into unsafe actions, while jailbreak attempts and malicious output manipulation can alter the behaviour of an otherwise legitimate workflow. Inline controls such as redaction, tokenisation, blocking, and coaching work only if they are applied before the interaction completes. This makes low-latency enforcement essential, because delayed review does not stop data from leaving the organisation.
Practical implication: teams should prioritise inline enforcement where prompts and responses are inspected before disclosure or execution.
MCP gateway security and delegated tool risk
MCP, or Model Context Protocol, creates a standardised path for AI systems to connect to tools and data sources. That makes it powerful for automation, but also a governance choke point because every connector expands the trust boundary. A gateway that scores MCP servers and enforces allow, block, filter, or redact decisions is fundamentally about controlling delegated access from AI systems. For identity teams, this starts to resemble least privilege for machine-to-tool interaction, with each delegation needing explicit policy.
Practical implication: organisations should treat MCP connections as privileged integrations and review them with the same discipline as service account access.
Threat narrative
Attacker objective: The attacker objective is to extract sensitive information or manipulate AI-driven workflows by abusing the trust placed in employee-facing GenAI systems.
- Entry occurs when employees use sanctioned or shadow AI tools through browsers, desktop apps, APIs, or MCP-connected workflows that sit outside normal visibility.
- Escalation follows when prompt injection, jailbreaks, or unsafe prompts influence the assistant to reveal sensitive data or act beyond intended scope.
- Impact is data leakage, misuse of confidential information, and weakened compliance evidence because the full prompt-and-response trail was not governed in real time.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI governance is becoming an access-control problem, not just a policy problem. Once employees use GenAI across browsers, desktop apps, APIs, and custom assistants, the security question shifts from acceptable use to runtime control. Policies that sit outside the workflow do not stop leakage, injection, or unsanctioned delegation. Practitioners should treat AI usage as a governed access path.
MCP expands the trust boundary in the same way service-to-service sprawl expanded cloud risk. Every additional server, template, and response path creates another delegated decision point. That makes AI tool connectivity a machine identity issue as much as an AI issue, because the system is now mediating who or what can invoke tools on behalf of the user. Practitioners should review MCP connectors as privileged integrations.
Shadow AI discovery will become a baseline control for enterprise assurance. If security teams cannot see which tools are being used, what data is being entered, and where outputs are stored, they cannot demonstrate compliance or contain an incident. The named concept here is AI usage blind spot: when usage is operationally real but absent from governance records. Practitioners should close that blind spot before scaling approvals.
Inline interception is the only defensible control point for prompt-based risk. Redaction, blocking, and coaching must happen before the model completes an unsafe action or discloses information. This aligns with broader zero trust principles, but the implementation is distinct because the protected object is not just a session. Practitioners should design controls around the prompt-response boundary.
What this signals
AI usage blind spot: the more employees rely on browser-based and embedded AI tools, the less useful app approval becomes as a security control. Programmes that cannot trace prompts, outputs, and delegated tool calls will struggle to satisfy audit, privacy, and incident response requirements.
MCP and similar delegation layers push AI security into the same governance territory as machine identity and privileged access. That means IAM and PAM teams should begin mapping AI-to-tool connections now, before those pathways become the default route for enterprise automation.
This development also suggests a broader market shift: control products for AI will be judged less by model awareness and more by whether they can enforce policy where work happens. The programme implication is clear. Security teams should evaluate AI controls on runtime interception, logging fidelity, and policy coverage, not marketing language.
For practitioners
- Map all AI entry points Inventory browser-based AI use, desktop assistants, APIs, terminal tools, and custom workflows so you can see where prompts and responses actually occur. Treat unmanaged usage as a governance gap, not an exception report. Suggested link target: Shadow AI discovery and audit capabilities.
- Classify AI connectors as privileged paths Review MCP servers, tool gateways, and API integrations as privileged connections with explicit allow, block, filter, or redact policy. Apply the same change control and access review discipline used for sensitive service accounts. Suggested link target: MCP gateway security and delegated access risk.
- Enforce inline data protection Redact or tokenise sensitive data before prompts leave the environment, and block high-risk prompts where disclosure would create compliance or breach exposure. Use low-latency enforcement so controls operate inside the user workflow rather than after the fact. Suggested link target: real-time prompt filtering and leakage prevention.
- Separate approval from observability Do not assume that approving a GenAI application gives you visibility into how employees are using it. Require searchable logs, prompt context, and response traces for audit and incident response. Suggested link target: searchable logs for audit and compliance.
Key takeaways
- AI adoption now creates an access governance problem because prompts, tools, and data flows can sit outside traditional visibility.
- Runtime controls matter more than policy statements when organisations need to stop prompt injection, leakage, and unsafe delegation.
- MCP-connected workflows and shadow AI make identity, privilege, and auditability central to AI security programmes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI risk around prompt injection and tool misuse is central here. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centres on non-human style access paths and delegated AI usage. |
| NIST AI RMF | GOVERN | AI governance, ownership, and accountability are the main control themes. |
| NIST CSF 2.0 | PR.AC-4 | The issue is access control across AI workflows and delegated tool paths. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly relevant to AI tool delegation and prompt access. |
Map AI workflows to agentic AI risks and require controls for delegation, prompt safety, and tool access.
Key terms
- Shadow AI: AI agents, copilots, or connected tools operating without full visibility or governance from security teams. Shadow AI becomes an identity problem when those systems authenticate with unmanaged tokens, service accounts, or OAuth apps that can reach production resources.
- MCP Gateway: The control layer that relays assistant intent to tools and data sources through the Model Context Protocol. In practice, it becomes a policy boundary, not just a transport layer. If it trusts model output too early, it can turn unverified reasoning into real-world execution or disclosure.
- Prompt Injection (Agentic): An attack where malicious instructions are embedded in content that an AI agent reads — causing the agent to execute unintended actions using its own legitimate credentials. A primary vector for agent goal hijacking and identity abuse.
- AI usage blind spot: An AI usage blind spot exists when organisations cannot see which AI tools are being used, what data is being entered, or what outputs are leaving the environment. It is a governance failure because the security team cannot audit, investigate, or constrain the activity.
What's in the full analysis
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- How Prompt Security's browser, desktop, and API coverage is positioned to discover sanctioned and unsanctioned AI use in practice.
- How the platform's policy engine is described as handling redaction, blocking, tokenisation, and coaching decisions at runtime.
- How the MCP gateway is described as scoring more than 13,000 known servers and enforcing allow, block, filter, or redact actions.
- How SentinelOne frames the acquisition inside its broader AI security strategy and platform integration plans.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and agentic AI identity. It helps practitioners build the control model needed to govern AI systems, delegated access, and identity risk across modern environments.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org