AI TRiSM and GenAI governance: what security teams need to know

TL;DR: Gartner says AI TRiSM brings four technical layers to govern trust, risk, security, privacy, and data protection across AI use cases, and expects AI TRiSM as a service to become a viable outsourced option by 2027; it also warns that 80% of unauthorized AI transactions through 2026 will stem from internal policy violations, according to Gartner. The governance gap is no longer experimental, and runtime controls now matter more than static approval gates.

NHIMG editorial — based on content published by Lasso Security: Gartner names Lasso Security as a representative vendor in AI TRiSM

By the numbers:

• Through 2026, at least 80% of unauthorized AI transactions will be caused by internal violations of enterprise policies concerning information oversharing, unacceptable use or misguided AI behavior rather than malicious attacks.
• By 2027, AI TRiSM as a service will emerge as a viable outsourced service option for enterprises that do not have the resources to implement their own AI TRiSM services.

Questions worth separating out

Q: How should security teams govern AI systems that access enterprise data?

A: Security teams should govern AI systems as runtime actors, not just as software tools.

Q: Why do AI systems create governance problems for IAM and NHI teams?

A: AI systems create governance problems because they can consume identities, secrets, and data in ways that are dynamic and hard to bound at design time.

Q: When should organisations prioritise runtime AI controls over static approvals?

A: Organisations should prioritise runtime AI controls whenever a system can generate outputs, call tools, or move data without a human approving each step.

Practitioner guidance

• Inventory every AI-enabled workflow Create a single register of sanctioned copilots, embedded models, internal GenAI apps, and third-party AI features.
• Bind AI use cases to runtime policy checkpoints Insert inspection and enforcement controls at prompt entry, data egress, and tool invocation points.
• Treat AI service accounts as governed NHIs Apply lifecycle management to the secrets and service accounts that let AI systems call APIs, fetch data, or trigger workflows.

What's in the full article

Lasso Security's full article covers the operational detail this post intentionally leaves for the source:

• The exact Gartner category language used to position AI TRiSM and the representative-vendor listing.
• The vendor's description of runtime inspection, continuous testing, and guardrails for GenAI environments.
• The article's own examples of shadow LLM discovery across thousands of tools.
• The market framing for AI TRiSM as a distinct segment and what that means for platform selection.

👉 Read Lasso Security's analysis of Gartner's AI TRiSM market guide →

AI TRiSM and GenAI governance: what security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →