Notifications

Clear all

AI security guidelines: what it means for identity teams

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 5324

Topic starter 11/06/2026 11:56 pm

TL;DR: SANS Critical AI Security Guidelines focus on access controls, monitoring, and governance for AI systems, and Pomerium argues those controls only become meaningful when enforcement happens at the point of access. The central issue is not whether AI can be secured in theory, but whether identity policy can keep pace with human, service, and agent requests.

NHIMG editorial — based on content published by Pomerium: Turning SANS Critical AI Security Guidelines Into Enforceable Agentic Controls

By the numbers:

97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Only 5.7% of organisations have full visibility into their service accounts.
90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams enforce access controls for AI systems?

A: Security teams should enforce access controls at the point of request, not after the model has already responded.

Q: Why do AI workflows create the same governance problems as NHIs?

A: AI workflows often depend on service credentials, connected data sources, and delegated tool access, which makes them behave like non-human identities from a governance perspective.

Q: What should organisations do when RAG systems can reach sensitive data?

A: Organisations should treat retrieval permissions as a security boundary and separate them from general application access.

Practitioner guidance

Bind AI access to authenticated identities Require every AI request to present a verifiable identity and apply policy before data retrieval or tool execution occurs.
Separate retrieval permissions from model permissions Limit write access to augmentation data, apply read scopes narrowly, and log every change to connected data sources.
Make policy decisions auditable at runtime Capture which identity requested the action, what policy allowed or denied it, and which resource was touched.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

How Pomerium applies per-request authorisation across AI, service, and human access flows
The specific logging and policy enforcement patterns used to make AI interactions auditable
How the article maps SANS guidance to access control, monitoring, and GRC implementation
The practical explanation of how the platform sits in front of AI-connected systems

👉 Read Pomerium's analysis of SANS critical AI security guidelines →

AI security guidelines: what it means for identity teams?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

6,557 Topics

9,526 Posts

9 Online

135 Members

Latest Post: Threat automation and identity controls , are your defenses keeping up? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies