AI platform gateway controls - are your controls keeping up?

TL;DR: Enterprise AI assistants are becoming front doors to internal APIs, databases and SaaS, and Pomerium says the McKinsey platform hack showed how broad intermediary trust, not prompt injection alone, can let attackers trigger internal actions and data access. The architectural lesson is that AI systems need request-by-request policy enforcement, not blanket trust at login.

NHIMG editorial — based on content published by Pomerium covering the McKinsey AI platform hack and the access control pattern behind it

Questions worth separating out

Q: How should security teams govern AI assistants that can call internal tools?

A: They should put a policy enforcement layer between the AI system and every internal service, then require identity verification and authorization on each request.

Q: Why do AI platforms create confused deputy risk in enterprise environments?

A: Because the AI layer often sits in the middle of users and internal systems while holding more access than any single user should have.

Q: What breaks when AI authorization happens only at login?

A: A login-only model assumes the session stays safe after authentication, but AI systems may make many later decisions and tool calls across multiple services.

Practitioner guidance

• Insert a central policy enforcement point Route every AI-driven request through a gateway that authenticates the user, verifies the context, and evaluates authorization before any internal API or data access occurs.
• Eliminate broad trust in downstream services Stop allowing internal APIs to trust the AI platform by default.
• Log tool calls with user context Capture the user identity, resource accessed, policy outcome, source IP, and timestamp for every AI action so security teams can reconstruct tool use and investigate misuse.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• The end-to-end request flow showing how a user session becomes a policy-checked internal action.
• The YAML policy example that separates allowed database queries from denied administrative MCP tool paths.
• The audit log fields that let teams reconstruct AI-driven actions by user, resource, policy, and source IP.
• The architecture diagram for putting an identity-aware proxy between the AI orchestrator and internal services.

👉 Read Pomerium's analysis of the McKinsey AI platform access control failure →

AI platform gateway controls - are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →