Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Glean AI search and the oversharing gap enterprise controls miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9924
Topic starter  

TL;DR: Glean combines LLMs, semantic search, and permission-aware retrieval to reduce enterprise search friction, but Knostic argues that oversharing persists because static access models cannot reliably enforce need-to-know boundaries when AI synthesises context from multiple systems. The real governance problem is not search accuracy, but whether AI can expose permissible yet operationally inappropriate information.

NHIMG editorial — based on content published by Knostic: Key Findings on Glean AI Security

By the numbers:

Questions worth separating out

Q: How should security teams govern AI search so it does not overshare sensitive content?

A: Treat AI search as a disclosure system, not just a retrieval system.

Q: Why do static access controls fail in enterprise AI search?

A: Static access controls answer a different question from the one AI search creates.

Q: What do security teams get wrong about AI search oversharing?

A: They often assume encryption, tenant isolation, and source permissions solve the disclosure problem.

Practitioner guidance

  • Separate source access from answer authorisation Apply a distinct approval or policy check to AI-generated responses when the system synthesises content from multiple repositories.
  • Test for oversharing with realistic business prompts Use prompts that mirror how employees ask for strategy, roadmap, personnel, and operational context.
  • Retain full prompt-to-answer audit trails Log the prompt, retrieved documents, response text, user identity, and governing policy so investigators can reconstruct disclosure paths after a suspected oversharing event.

What's in the full article

Knostic's full article covers the operational detail this post intentionally leaves for the source:

  • Connector and ingestion design details for Glean environments, including how permission graphs and metadata are synchronised.
  • Knostic's prompt simulation and response-analysis workflow for identifying overshared outputs before users see them.
  • Audit-dashboard examples showing how answer lineage, access attempts, and policy decisions are surfaced for compliance teams.
  • Implementation notes for integrating monitoring into existing security workflows without changing the underlying search architecture.

👉 Read Knostic's analysis of Glean AI security and oversharing risk →

Glean AI search and the oversharing gap enterprise controls miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9408
 

Oversharing is an identity governance failure, not a search-quality issue. The core problem is that AI can respect source permissions while still violating need-to-know boundaries. That means the governance question is not whether the user could access the underlying document, but whether the system should have assembled that answer at all. Practitioners should treat AI disclosure policy as part of IAM and IGA, not as a search add-on.

A few things that frame the scale:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

A question worth separating out:

Q: How do you know if AI search controls are actually working?

A: Look for evidence that prompts, retrieved sources, and responses are being tied to policy decisions in an auditable trail. If you can only show that a user could open a document, you have not proven the system prevented oversharing. Effective control means you can explain why an answer was allowed or blocked.

👉 Read our full editorial: Glean AI search increases oversharing risk beyond static permissions



   
ReplyQuote
Share: