Notifications

Clear all

AI runtime security gap: are your posture controls enough?

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 3789

Topic starter 10/06/2026 12:21 am

TL;DR: AI security posture tools can inventory models, pipelines, and data, but runtime behaviour remains the harder problem because LLM-powered agents can make API calls, access records, and invoke tools in ways scanners do not see, according to Orca Security. The real governance gap is that existing review and monitoring models assume AI behaviour is stable enough to be observed after the fact, which autonomous action breaks.

NHIMG editorial — based on content published by Orca Security: The Runtime Gap: Why AI Security Can't Stop at Posture

By the numbers:

80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
53% of MCP servers expose credentials through hard-coded values in configuration files.

Questions worth separating out

Q: How should security teams govern AI systems that make runtime decisions?

A: Security teams should govern AI systems as dynamic non-human identities, not static applications.

Q: Why do AI agents create problems for existing IAM controls?

A: AI agents create problems because traditional IAM assumes access can be reviewed after it is granted and before it changes materially.

Q: What breaks when teams only monitor prompts and not tool actions?

A: Teams miss the most important part of the event chain.

Practitioner guidance

Correlate AI activity with workload identity Map prompts, tool calls, and outputs back to the originating workload, process, and human or agent identity so you can reconstruct the full action chain during review and incident response.
Separate prompt risk from execution risk Treat sensitive prompts, jailbreak attempts, and secrets leakage as input signals, then validate what the model did after receipt by reviewing API calls, data access, and tool invocation logs.
Include MCP servers in identity governance scope Inventory which MCP servers, tools, and skills can reach production data or applications, then apply access review and change control to those connections as you would for other privileged NHI pathways.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

Dashboard-level views for AI cloud workloads, AI models and tools, cloud AI services, and AI security posture
Real-time AI activity detection details, including how prompt analysis and MCP server interactions are correlated
Example use cases for tracing outbound LLM requests back to the originating workload and process
Bonus coverage of coding agents and human versus AI-generated code risk

👉 Read Orca Security's analysis of runtime AI security and posture gaps →

AI runtime security gap: are your posture controls enough?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

5,021 Topics

7,166 Posts

27 Online

136 Members

Latest Post: Agentic AI security best practices for 2026: are your controls keeping up? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies