TL;DR: LLM compliance is defined by how data enters, moves through, and leaves model workflows, with the article highlighting traceability, audit logging, access boundaries, and data minimization as core controls, according to Lasso Security. The governance problem is bigger than policy text, because unmonitored prompts, retrievals, and integrations turn LLMs into real-time identity and data exposure paths.
NHIMG editorial — based on content published by Lasso Security: LLM Compliance: Risks, Challenges & Enterprise Best Practices
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility.
Questions worth separating out
Q: How should security teams enforce LLM compliance across prompts and retrievals?
A: Security teams should enforce LLM compliance at the prompt, retrieval, and output layers, not only at the application perimeter.
Q: When does LLM compliance become an identity governance issue?
A: LLM compliance becomes an identity governance issue whenever a model can access data, tools, or workflows on behalf of a user or service.
Q: What do organisations get wrong about LLM audit trails?
A: Many organisations treat logging as a checkbox and miss the need for reconstruction-ready evidence.
Practitioner guidance
- Map LLM data paths end to end Inventory every prompt source, retrieval source, plugin, connected SaaS app, and output destination so you can see where sensitive data can enter or leave the workflow.
- Enforce permissions at the interaction layer Apply policy at the prompt, retrieval, and output layers so a user cannot ask for, fetch, or receive information outside their intended context.
- Require immutable audit evidence Capture prompt history, retrieval steps, model actions, guardrail triggers, and administrator changes in logs that can be preserved for audit and incident review.
What's in the full article
Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific policy patterns for prompt-handling, retrieval boundaries, and output filtering across enterprise workflows.
- Operational guidance for spotting shadow AI, browser-based assistants, and unsanctioned automations before they become blind spots.
- Examples of logging and evidence collection for prompt history, model actions, retrieval steps, and administrator changes.
- Practical control mapping for GDPR, the EU AI Act, and NIST AI RMF readiness in LLM deployments.
👉 Read Lasso Security's analysis of LLM compliance risks and best practices →
LLM compliance and access boundaries: what IAM teams need to know?
Explore further
LLM compliance is really identity governance applied to data movement. The article is strongest where it treats prompts, retrieval, and outputs as enforceable boundaries rather than abstract policy text. That is the right frame for both human and non-human identities because the risk is not only what the model knows, but what it is allowed to touch. Practitioners should read this as a governance problem with direct access-control consequences.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 92% of organisations agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, which shows how far policy intent still lags execution.
A question worth separating out:
Q: How do teams reduce shadow AI risk in LLM environments?
A: Teams reduce shadow AI risk by discovering where LLM use already exists outside approved tooling, including browser chatbots, embedded assistants, and informal automations. Those hidden paths should be assessed first because they usually have weaker visibility, weaker data controls, and no reliable audit evidence.
👉 Read our full editorial: LLM compliance is becoming an identity governance problem
LLM compliance is really identity governance applied to data movement. The article is strongest where it treats prompts, retrieval, and outputs as enforceable boundaries rather than abstract policy text. That is the right frame for both human and non-human identities because the risk is not only what the model knows, but what it is allowed to touch. Practitioners should read this as a governance problem with direct access-control consequences.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 92% of organisations agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, which shows how far policy intent still lags execution.
A question worth separating out:
Q: How do teams reduce shadow AI risk in LLM environments?
A: Teams reduce shadow AI risk by discovering where LLM use already exists outside approved tooling, including browser chatbots, embedded assistants, and informal automations. Those hidden paths should be assessed first because they usually have weaker visibility, weaker data controls, and no reliable audit evidence.
👉 Read our full editorial: LLM compliance is becoming an identity governance problem