Notifications
Clear all
Topic starter
25/06/2026 3:16 pm
TL;DR: The White House’s 2025 AI Action Plan ties innovation, infrastructure, and security to stricter expectations for transparency, benchmarking, and runtime governance across AI systems, according to Zenity. For security teams, the shift is less about policy slogans and more about proving that AI can be trusted, constrained, and monitored throughout its lifecycle.
NHIMG editorial — based on content published by Zenity: America's AI Action Plan: Innovation, Security, and What It Means for Builders and Buyers
Questions worth separating out
Q: How should security teams govern AI systems that can access tools and data at runtime?
A: Treat them as non-human identities with dynamic privileges.
Q: Why do AI systems complicate traditional least-privilege design?
A: Because least privilege is usually set at provisioning time, while AI systems can select actions during execution.
Q: What do security teams get wrong about AI and access control?
A: They often treat model approval as if it were the same as access approval.
Practitioner guidance
- Map AI runtime privileges before deployment Inventory every data source, tool, and downstream workflow an AI system can touch, then remove anything not required for a specific task scope.
- Enforce task-scoped session boundaries Treat each AI interaction as a bounded session with explicit start and end conditions, and prevent the session from inheriting broader standing access.
- Require audit evidence for access and behavior Ask for logs, benchmark results, and configuration records that show what the system accessed, what it changed, and how exceptions were handled.
What's in the full article
Zenity's full analysis covers the operational detail this post intentionally leaves for the source:
- How the article maps policy language to security controls for builders and buyers
- The specific runtime security priorities it recommends for AI systems, including access control and blast radius reduction
- Its discussion of open standards, benchmarking, and how they shape procurement expectations
- The article's full view on how AI security expectations are changing across the lifecycle
👉 Read Zenity's analysis of America's AI Action Plan and AI security →
AI Action Plan and AI security governance: what changes for teams?
Explore further
25/06/2026 4:42 pm
AI policy is now a runtime governance problem, not a procurement checkbox. The article is right to link innovation with security, because the highest-risk failure mode is no longer whether AI is allowed, but what it can do after it is allowed. NIST-style governance only matters when access, telemetry, and enforcement are visible at the moment of use. Practitioners should treat AI approval as the start of control design, not the end.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when an AI system misuses delegated access?
A: Accountability sits with the organisation that granted the access and the team that defined the boundaries. The model does not create governance on its own. If the system can act on behalf of users or services, ownership must include identity lifecycle, monitoring, and revocation paths.
👉 Read our full editorial: America's AI Action Plan raises the bar for AI security governance
