Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI security audits and GenAI governance gaps: what teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9874
Topic starter  

TL;DR: Nearly 60% of enterprises are using GenAI without formal governance or audit processes, while other studies cited in the article show 21% of power users and 41% of lighter users operating with no controls at all, according to Knostic. The real issue is not model performance but the absence of prompt-to-output visibility, policy enforcement, and explainability across live enterprise usage.

NHIMG editorial — based on content published by Knostic: Fast Facts on AI Security Audit

By the numbers:

Questions worth separating out

Q: What breaks when GenAI is deployed without formal audit controls?

A: Without formal audit controls, organisations lose visibility into prompt behavior, context retrieval, policy enforcement, and output traceability.

Q: Why do AI security audits matter for IAM and data governance teams?

A: AI security audits matter because GenAI systems create a new access layer where identity, permissioning, and data exposure meet at inference time.

Q: How can security teams tell whether AI audit controls are actually working?

A: Look for evidence that every high-risk AI interaction can be traced from prompt to context to response, with policy decisions preserved alongside the output.

Practitioner guidance

  • Map prompt-to-output lineage Record the prompt, retrieved context, policy checks, and generated response for every high-risk GenAI workflow so investigators can reconstruct exactly how an answer was produced.
  • Validate sensitivity labels against AI usage Compare repository labels with actual model behavior in SharePoint, Outlook, vector stores, and connected copilots to identify where approved source material still produces oversharing.
  • Red-team multi-step prompt chains Test segmented prompts, jailbreak variants, and injection sequences against production-like models to measure bypass rates and uncover policy failures before deployment.

What's in the full article

Knostic's full article covers the operational detail this post intentionally leaves for the source:

  • A five-step AI security audit checklist that maps prompts, labels, injection tests, monitoring, and explainability into one workflow.
  • Examples of how prompt fuzzing and semantic jailbreak testing are used to probe oversharing and policy bypass.
  • Discussion of how internal teams and external auditors divide responsibility for GenAI oversight.
  • Operational detail on how Knostic frames knowledge-layer exposure and audit-ready evidence.

👉 Read Knostic's analysis of AI security audit controls for GenAI governance →

AI security audits and GenAI governance gaps: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9358
 

AI security audits are now an identity governance problem as much as a model governance problem. The article makes clear that the biggest risk is not simply whether an LLM behaves well, but whether enterprise users, data sources, and policy boundaries are aligned around what the model is allowed to surface. Once prompts become a control surface, access management, logging, and data classification all need to operate at inference time. Practitioners should treat GenAI auditability as a governance layer over identity, access, and data exposure.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: Which frameworks apply to AI security auditing and governance?

A: NIST AI RMF, NIST CSF, GDPR, and AI-focused threat frameworks all help structure audit expectations. Use them to define accountability, risk assessment, data handling, monitoring, and traceability requirements. For regulated environments, the key is to map AI behaviour to evidence that can stand up in review, not just internal testing.

👉 Read our full editorial: AI security audits expose the governance gap in enterprise GenAI



   
ReplyQuote
Share: