Genai risk and the identity governance gap teams are missing

TL;DR: GenAI adoption is creating blind spots across shadow tools, employee data leakage, insecure plugins, and compliance gaps, according to Lasso Security’s guide to CISO pain points. The real issue is that traditional IAM and monitoring models were built for deterministic systems, not prompt-driven workflows with weak visibility and expanding third-party access.

NHIMG editorial — based on content published by Lasso Security: The CISO’s Guide to GenAI Risks: Unpacking the Real Security Pain Points

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams govern shadow AI in the enterprise?

A: Start by inventorying every sanctioned and unsanctioned GenAI tool, then assign an owner, a data classification boundary, and a logging requirement.

Q: Why do GenAI plugins and APIs create identity risk?

A: They introduce extra trust boundaries that can be over-permissioned, weakly authenticated, or left without clear revocation ownership.

Q: How can teams know whether GenAI monitoring is actually working?

A: Look for prompt-level telemetry, retrieval traces, output logs, and downstream action records that can be joined into a single event chain.

Practitioner guidance

• Inventory sanctioned and unsanctioned GenAI usage Build a single register of chatbots, copilots, embedded AI features, plugins, and internal model endpoints so security can assign ownership and logging requirements.
• Extend logging to prompt and retrieval activity Capture prompts, retrieved source data, model outputs, and downstream actions so investigators can reconstruct what the system saw and did.
• Review AI-connected service accounts and API tokens Check every model integration for scope, ownership, and revocation path, especially where the model can call backend systems or third-party APIs.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A breakdown of the specific GenAI risk categories discussed by the vendor, including data leakage, prompt injection, and compliance gaps.
• Operational examples of where traditional security tools fall short when applied to shadow AI and LLM-driven workflows.
• The vendor's suggested approach for building visibility, telemetry, and governance around enterprise AI use.
• The source article's framing of how CISOs can organise GenAI controls across teams and workflows.

👉 Read Lasso Security's guide to CISO pain points in GenAI risk →

Genai risk and the identity governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →