Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

GenAI security readiness gap in enterprises: what teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9271
Topic starter  

TL;DR: Nearly half of organisations are already deploying GenAI in production, yet only 19% feel highly confident in their security posture and 49% remain highly concerned about vulnerabilities, according to Lakera’s 2025 GenAI Security Readiness Report. The readiness gap is now operational, not theoretical, and it is widening as runtime attacks, integration complexity, and skill shortages outpace existing governance models.

NHIMG editorial — based on content published by Lakera: 2025 GenAI Security Readiness Report: A Clearer Picture of Where Enterprises Stand

By the numbers:

Questions worth separating out

Q: How should security teams govern GenAI systems in production workflows?

A: Treat production GenAI as an access-governance problem, not just a model-risk problem.

Q: Why do GenAI systems create more security risk once they are connected to business data?

A: Because the risk moves from model behaviour to delegated access.

Q: What do security teams get wrong about GenAI readiness?

A: They often confuse adoption with maturity.

Practitioner guidance

  • Map every GenAI integration boundary Inventory the connectors, APIs, service accounts, and tokens that let GenAI systems reach sensitive data or execute actions.
  • Test for prompt injection in business workflows Red-team the actual workflow, not just the model, by checking whether untrusted input can override instructions, trigger data exposure, or alter downstream actions.
  • Tighten credentials around GenAI-connected systems Review whether the service identities, tokens, and API keys supporting GenAI workflows are scoped to the minimum needed and are monitored separately from human access.

What's in the full report

Lakera's full report covers the operational detail this post intentionally leaves for the source:

  • Role-based breakdowns of concern, confidence, and preparedness across respondents.
  • The underlying survey findings that separate adoption pressure from security maturity.
  • Visual charts that show how risk perception shifts across AI security functions.
  • Practitioner-facing detail on the incidents and workflow patterns behind the headline numbers.

👉 Read Lakera’s 2025 GenAI Security Readiness Report →

GenAI security readiness gap in enterprises: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8712
 

GenAI security readiness is now an identity governance problem. Once GenAI is embedded in production workflows, the question is no longer whether the model is safe in isolation. The real issue is whether access, integration, and runtime control can keep pace with how the system is used. That puts IAM, NHI governance, and AI security operations into the same control plane, because delegated capability is what turns AI from a feature into an exposure.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • In the same research, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a useful reminder that delegated access is where many identity programmes lose control.

A question worth separating out:

Q: How can organisations tell whether their AI security controls are actually working?

A: They should look for enforcement evidence, not policy statements. Useful signals include blocked unsafe actions, tested prompt-injection paths, constrained connector permissions, reviewed service identities, and a documented response path when the workflow behaves outside expectations. If those artefacts do not exist, readiness is assumed rather than demonstrated.

👉 Read our full editorial: GenAI security readiness lags adoption across enterprise workflows



   
ReplyQuote
Share: