AI usage control: what it means for IAM teams and governance

TL;DR: AI Usage Control is emerging as a distinct governance layer because traditional network, endpoint, and legacy DLP controls cannot inspect real-time AI interactions with enough context, according to Lasso Security. The practical issue is not whether organisations allow AI, but whether they can govern prompt-time use, data sharing, and output reuse without collapsing existing IAM assumptions.

NHIMG editorial — based on content published by Lasso Security: Comprehensive Guide to AI Usage Control for Enterprise Security Teams

By the numbers:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern AI usage without blocking productivity?

A: Security teams should set context-aware rules that vary by role, data type, and task risk, then enforce them at runtime inside the interaction.

Q: Why do traditional IAM and DLP controls fall short for GenAI?

A: They were designed for static access and post-event detection, not for live prompts, context injection, and output reuse.

Q: What do organisations get wrong about Shadow AI governance?

A: They treat Shadow AI as a discovery problem when it is also a behaviour problem.

Practitioner guidance

• Map AI usage points across the workflow layer Inventory browser assistants, copilots, extensions, and embedded AI features that employees actually use, then tie each one to identity context and data sensitivity.
• Define runtime rules for prompt-time data handling Classify which data types may be submitted, masked, redacted, or blocked before they enter an AI interaction.
• Extend access reviews beyond applications to AI behaviours Review not only which tools were approved, but how they are being used, what outputs are reused, and which exception paths are active.

What's in the full article

Lasso Security's full blog covers the operational detail this post intentionally leaves for the source:

• How the runtime inspection layer handles prompts, responses, and contextual policy decisions in practice.
• The article's breakdown of discovery across browsers, copilots, and embedded AI features.
• Specific examples of blocking, redaction, masking, and user guidance at the moment of interaction.
• The implementation trade-offs between productivity, compliance, and enforcement consistency.

👉 Read Lasso Security's guide to AI usage control for enterprise security teams →

AI usage control: what it means for IAM teams and governance?

Explore further

View Full Forum →  |  NHI Foundation Course →