Subscribe to the Non-Human & AI Identity Journal
Home FAQ Identity Beyond IAM How can security teams decide where AI is…
Identity Beyond IAM

How can security teams decide where AI is allowed to act in a customer journey?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Identity Beyond IAM

Define AI as advisory unless the transaction has been explicitly governed for automation. AI can assist with discovery and comparison, but payment, passport data, and booking commitments should require controlled authorisation, auditability, and a clear human override path.

Why This Matters for Security Teams

Customer journeys now mix search, identity checks, recommendations, payment, support, and post-sale service, which means AI may be exposed to decisions that have legal, financial, or privacy impact. Security teams cannot treat every AI action as harmless because a recommendation engine, chatbot, or agentic workflow can cross from guidance into execution very quickly. That shift changes the control objective from content safety to authorisation, traceability, and change management.

The practical issue is not whether AI can answer questions, but whether it can trigger actions that create commitments on behalf of a customer or the organisation. Current guidance suggests that high-impact steps should be governed with the same discipline used for other privileged workflows, including approval boundaries, logging, and rollback paths. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because it maps well to authorisation, audit, and accountability expectations.

In practice, many security teams encounter the boundary only after an AI assistant has already drafted, initiated, or confirmed an action that should have required explicit approval.

How It Works in Practice

Security teams usually decide AI boundaries by classifying journey steps into advisory, assisted, and autonomous modes. Advisory means the AI can explain, compare, or recommend. Assisted means the AI can prepare a transaction, but a person still approves it. Autonomous means the AI can execute without a human in the loop, which should be rare and tightly constrained. The key is to define these modes per journey step, not per application, because the same system may be safe for FAQ support but not for payment, identity proofing, or booking commitments.

A workable pattern is to link AI permissions to business risk, data sensitivity, and reversibility. If the action can create a legal obligation, move regulated personal data, or alter a customer account, the AI should not be the final decision-maker unless the workflow has been explicitly approved, tested, and monitored. Teams should also require an immutable audit trail showing what the AI saw, what it suggested, who approved it, and what was actually executed. That becomes essential for incident response and customer dispute handling.

  • Limit AI to read-only or recommendation mode by default.
  • Require step-up approval for payments, account changes, and identity updates.
  • Use policy checks before execution, not only after output generation.
  • Log prompts, tool calls, approvals, and final actions together.
  • Provide a clear human override and kill switch for operational failures.

For digital identity and authentication steps, teams should also align to NIST SP 800-63 Digital Identity Guidelines so the AI does not weaken identity proofing or session assurance. For AI-specific governance, NIST AI Risk Management Framework helps define who owns the risk and how output quality is monitored. These controls tend to break down in highly orchestrated journeys with multiple back-end systems because the AI may appear to be advisory while still triggering downstream automation through APIs.

Common Variations and Edge Cases

Tighter control often increases friction and operational overhead, requiring organisations to balance customer experience against misuse, error, and compliance exposure. That tradeoff is most visible in journeys where the customer expects speed, such as travel, retail, or service recovery. In those cases, best practice is evolving toward tiered authority rather than an all-or-nothing model.

One edge case is low-risk, reversible automation. For example, an AI may be allowed to re-order information, suggest next steps, or pre-fill a form if the final submission remains human-approved. Another is delegated business authority, where a clearly scoped internal AI agent can act within a policy envelope, but only after separation of duties and strong monitoring are in place. There is no universal standard for this yet, so organisations should document local risk acceptance rather than assume industry consensus.

Teams should be especially cautious where AI touches identity verification, payment, or regulated data across vendors. If a journey includes SSO, KYC, or shared customer profiles, the AI boundary must be consistent across all connected systems, not just within the front-end experience. The same is true for multilingual or high-volume support channels, where a persuasive assistant may be mistaken for an authorised representative unless disclosures and controls are explicit. In practice, the hardest failures happen when the AI is technically “advisory” but operationally trusted as if it were authorised.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF, NIST SP 800-63 and NIST AI 600-1 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.ACAccess control is central when AI may initiate customer journey actions.
NIST AI RMFGOVERNGovernance determines who owns AI decisions and acceptable autonomy.
OWASP Agentic AI Top 10A2Agentic systems can overreach into unauthorized actions in user journeys.
NIST SP 800-63IAL/AALIdentity assurance matters when AI touches verification or account changes.
NIST AI 600-1GenAI profiles stress output controls and human oversight for customer-facing use.

Treat customer journey AI as governed assistance unless explicit control and monitoring exist.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org