AI security standards for LLMs and agents: what teams lack

TL;DR: Enterprises are moving LLMs and autonomous agents into production faster than security controls are maturing, while today’s AI security frameworks remain fragmented, high-level, and difficult to translate into enforceable controls, according to Lasso Security. The practical gap is lifecycle-wide governance that treats access, monitoring, and incident response as continuous requirements, not optional add-ons.

NHIMG editorial — based on content published by Lasso Security: Why enterprises need a real AI security standard for LLMs and agents

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern LLM and agent access in production?

A: Treat every model, agent, connector, and service account as part of one identity surface.

Q: Why do existing AI security frameworks fall short for IAM teams?

A: Because most frameworks describe desired outcomes rather than enforceable control design.

Q: What breaks when AI systems are governed like static applications?

A: Lifecycle drift breaks the model.

Practitioner guidance

• Map AI systems to named identity owners Assign business and technical ownership for every model, agent, connector, and service account that can reach production AI.
• Enforce least privilege across AI access paths Scope human and machine access separately for prompts, outputs, connectors, and downstream APIs.
• Add lifecycle checkpoints before and after deployment Review training data, fine-tuning inputs, production permissions, and retirement steps as separate control moments.

What's in the full article

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

• Framework-by-framework breakdown of how NIST AI RMF, ISO/IEC 42001, cloud guidance, and the EU AI Act map to practical security controls.
• Detailed guidance on securing model access across employees, applications, and automated systems in multi-environment deployments.
• Operational examples of continuous monitoring, dynamic guardrails, and human-in-the-loop processes for live AI systems.
• AI-specific incident response considerations for production models, agents, and shared access paths.

👉 Read Lasso Security's analysis of a real AI security standard for LLMs and agents →

AI security standards for LLMs and agents: what teams lack?

Explore further

View Full Forum →  |  NHI Foundation Course →