TL;DR: AI governance strategies increasingly hinge on access control, monitoring, and lifecycle rules, with IBM reporting that 97% of AI-related breaches lacked proper AI access controls and Cornell highlighting accountability and transparency as core governance principles. The governance gap is now an identity problem, not just a policy problem.
NHIMG editorial — based on content published by Knostic: Key Findings on AI Governance Strategy
By the numbers:
- 97% of organizations that experienced a breach involving AI reported lacking proper AI access controls, underscoring how gaps in governance are already incurring significant financial costs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should teams implement AI access controls in a governance programme?
A: Start by inventorying every AI identity, including users, service accounts, API keys, model endpoints, and vendor connections.
Q: Why do AI governance programmes fail when IAM is weak?
A: Because AI governance depends on controlling who or what can reach data, tools, and models.
Q: How do security teams know whether AI guardrails are actually working?
A: Measure whether unsafe prompts are blocked, whether disallowed outputs are stopped before release, and whether retrieval paths leak data across intended boundaries.
Practitioner guidance
- Map AI identities into the enterprise IAM inventory Classify AI users, service accounts, API keys, model endpoints, and vendor integrations alongside human identities so access reviews cover all actors that can reach sensitive data.
- Overlay PBAC on top of role-based access Use role assignments for baseline access, then apply policy checks for sensitivity, time, purpose, and environment before AI systems can retrieve or expose data.
- Test prompt and retrieval boundaries together Run adversarial prompts against retrieval-augmented workflows and validate that the model cannot surface data that a user should not see through legitimate query paths.
What's in the full article
Knostic's full article covers the operational detail this post intentionally leaves for the source:
- Its step-by-step AI governance lifecycle checklist for inventory, approvals, enforcement, and audit readiness.
- Its detailed explanation of Knostic's knowledge-layer enforcement approach and how it maps to AI governance controls.
- Its practical examples of data classification, RBAC, PBAC, and monitoring for enterprise AI deployments.
👉 Read Knostic's analysis of AI governance strategy and access controls →
AI governance strategy and access controls: what teams are missing?
Explore further
AI governance strategy is an identity programme before it is an AI programme. The article’s strongest thread is that governance breaks when IAM, data controls, and monitoring are treated as separate disciplines. That is the same failure pattern identity teams have seen in NHI environments for years, where policy exists but access pathways remain uncontrolled. Practitioners should treat AI governance as an extension of identity governance, not a parallel initiative.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why AI governance cannot rely on incomplete identity inventories.
A question worth separating out:
Q: Who should be accountable for AI governance and retirement decisions?
A: Accountability should sit with named business and technical owners who control access, approve use cases, and sign off retirement. If no one owns deprovisioning, the model, its tokens, and its vendor connections can persist long after the use case is obsolete. That creates residual access and audit gaps.
👉 Read our full editorial: AI governance strategy now depends on identity, access, and guardrails