Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI chatbots in business: what IAM and security teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9271
Topic starter  

TL;DR: AI chatbots are moving from customer support into sales, HR, banking, and other business workflows, while Gartner forecasts roughly 30% of Fortune 500 companies will use single AI-enabled customer service channels by 2028, according to Lakera. The governance problem is not chatbot capability alone, but the access, data, and trust assumptions these systems inherit from existing IAM and NHI controls.

NHIMG editorial — based on content published by Lakera: The Expanding Use of AI Chatbots in Business: Opportunities and Risks

By the numbers:

Questions worth separating out

Q: How should security teams govern AI chatbots that can access business systems?

A: Start by assigning each chatbot a clear identity, then limit its permissions to the smallest set of data and actions needed for the use case.

Q: Why do AI chatbots create IAM risk even when they are not fully autonomous?

A: Because they often inherit access from service accounts, APIs, and vendor integrations that are broader than the conversation needs.

Q: What do organisations get wrong about chatbot hallucinations?

A: They often treat hallucination as a user-experience issue instead of a governance issue.

Practitioner guidance

  • Inventory every chatbot identity and connector Map each AI chatbot to the account, service principal, API token, or vendor integration it uses, then list the exact systems and datasets that identity can touch.
  • Split abuse controls from answer-quality controls Test prompt-injection, jailbreak resistance, and tool restrictions separately from retrieval accuracy, hallucination rates, and user-output validation.
  • Limit delegated actions to explicit approval points Require human approval before the chatbot can create records, change customer data, open tickets, or trigger downstream workflows.

What's in the full article

Lakera's full article covers the operational detail this post intentionally leaves for the source:

  • Detailed use-case examples across banking, healthcare, legal services, and retail.
  • Specific product-style claims and implementation context around customer-service and business-process automation.
  • The article's own list of chatbot benefits and risks, including productivity, multilingual support, and AI bias examples.
  • The broader marketing context around Lakera's GenAI security platform positioning.

👉 Read Lakera's analysis of AI chatbots in business →

AI chatbots in business: what IAM and security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8712
 

AI chatbots in business create an identity problem before they create an AI problem. The core issue is not whether the chatbot can hold a conversation, but which identity it inherits and which data paths that identity opens. When the bot sits in front of CRM, HR, or support systems, the governance question becomes who can act through it and under what bounds. Organisations should treat chatbot access as part of identity architecture, not as a UI feature.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who is accountable when a business chatbot leaks data or acts incorrectly?

A: Accountability should sit with the team that owns the identity, the data source, and the workflow the chatbot touches, not with the model alone. If the chatbot operates inside customer service, HR, or finance, those business owners share responsibility for access scope, logging, and approval paths. Governance must match the business function the chatbot serves.

👉 Read our full editorial: AI chatbots in business expand value and risk for identity teams



   
ReplyQuote
Share: