Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI security guidelines: what it means for identity teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: SANS Critical AI Security Guidelines focus on access controls, monitoring, and governance for AI systems, and Pomerium argues those controls only become meaningful when enforcement happens at the point of access. The central issue is not whether AI can be secured in theory, but whether identity policy can keep pace with human, service, and agent requests.

NHIMG editorial — based on content published by Pomerium: Turning SANS Critical AI Security Guidelines Into Enforceable Agentic Controls

By the numbers:

Questions worth separating out

Q: How should security teams enforce access controls for AI systems?

A: Security teams should enforce access controls at the point of request, not after the model has already responded.

Q: Why do AI workflows create the same governance problems as NHIs?

A: AI workflows often depend on service credentials, connected data sources, and delegated tool access, which makes them behave like non-human identities from a governance perspective.

Q: What should organisations do when RAG systems can reach sensitive data?

A: Organisations should treat retrieval permissions as a security boundary and separate them from general application access.

Practitioner guidance

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Pomerium applies per-request authorisation across AI, service, and human access flows
  • The specific logging and policy enforcement patterns used to make AI interactions auditable
  • How the article maps SANS guidance to access control, monitoring, and GRC implementation
  • The practical explanation of how the platform sits in front of AI-connected systems

👉 Read Pomerium's analysis of SANS critical AI security guidelines →

AI security guidelines: what it means for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

AI security becomes enforceable only when identity policy moves into the request path. SANS is right to focus on access controls, monitoring, and GRC, but the operational issue is simpler: if the authorisation decision happens after the request, the control already failed. That is the same lesson NHI teams learned with service accounts and API keys. The implication is that AI governance is not a separate discipline from identity governance, it is an enforcement problem at runtime.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who should own governance when humans, services, and AI agents all access the same resources?

A: Ownership should sit with the identity and security functions that already govern access policy, logging, and lifecycle controls. The key is to maintain one control plane for identity decisions, even if multiple actor types use it. That avoids duplicated rules, inconsistent audit trails, and gaps between AI operations and existing IAM programmes.

👉 Read our full editorial: SANS AI security guidelines expose the need for enforceable access



   
ReplyQuote
Share: