TL;DR: Gartner says AI TRiSM brings four technical layers to govern trust, risk, security, privacy, and data protection across AI use cases, and expects AI TRiSM as a service to become a viable outsourced option by 2027; it also warns that 80% of unauthorized AI transactions through 2026 will stem from internal policy violations, according to Gartner. The governance gap is no longer experimental, and runtime controls now matter more than static approval gates.
NHIMG editorial — based on content published by Lasso Security: Gartner names Lasso Security as a representative vendor in AI TRiSM
By the numbers:
- Through 2026, at least 80% of unauthorized AI transactions will be caused by internal violations of enterprise policies concerning information oversharing, unacceptable use or misguided AI behavior rather than malicious attacks.
- By 2027, AI TRiSM as a service will emerge as a viable outsourced service option for enterprises that do not have the resources to implement their own AI TRiSM services.
Questions worth separating out
Q: How should security teams govern AI systems that access enterprise data?
A: Security teams should govern AI systems as runtime actors, not just as software tools.
Q: Why do AI systems create governance problems for IAM and NHI teams?
A: AI systems create governance problems because they can consume identities, secrets, and data in ways that are dynamic and hard to bound at design time.
Q: When should organisations prioritise runtime AI controls over static approvals?
A: Organisations should prioritise runtime AI controls whenever a system can generate outputs, call tools, or move data without a human approving each step.
Practitioner guidance
- Inventory every AI-enabled workflow Create a single register of sanctioned copilots, embedded models, internal GenAI apps, and third-party AI features.
- Bind AI use cases to runtime policy checkpoints Insert inspection and enforcement controls at prompt entry, data egress, and tool invocation points.
- Treat AI service accounts as governed NHIs Apply lifecycle management to the secrets and service accounts that let AI systems call APIs, fetch data, or trigger workflows.
What's in the full article
Lasso Security's full article covers the operational detail this post intentionally leaves for the source:
- The exact Gartner category language used to position AI TRiSM and the representative-vendor listing.
- The vendor's description of runtime inspection, continuous testing, and guardrails for GenAI environments.
- The article's own examples of shadow LLM discovery across thousands of tools.
- The market framing for AI TRiSM as a distinct segment and what that means for platform selection.
👉 Read Lasso Security's analysis of Gartner's AI TRiSM market guide →
AI TRiSM and GenAI governance: what security teams need to know?
Explore further
AI TRiSM is becoming the governance layer that traditional IAM never covered. IAM can authenticate users and grant access, but it does not by itself decide whether an AI system should be allowed to generate, transform, or transmit regulated data at runtime. That gap is now a standing enterprise control problem, not an edge case. Practitioners should treat AI governance as an extension of identity governance, not a separate AI-only initiative.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: What should teams do if they discover shadow AI in the business?
A: Teams should first identify who owns the tool, what data it touches, and which identities it uses. Then they should either bring it under policy and lifecycle control or remove access to enterprise data until governance is in place. Discovery without containment simply confirms the scale of the gap.
👉 Read our full editorial: AI TRiSM is reshaping how enterprises govern GenAI risk