Ask which layer is controlled externally, which layer is controlled by your team, and how each layer is audited. If the vendor cannot separate model safeguards from workflow authority, the organisation may be treating a capability label as a governance model.
Why This Matters for Security Teams
AI vendors can be safe for identity operations only when their model behaviour is separated from the authority that touches accounts, credentials, approvals, and audit trails. That distinction matters because identity workflows are high-impact: a vendor that can generate recommendations but not execute changes is very different from one that can provision access or rotate secrets. NIST Cybersecurity Framework 2.0 makes governance and oversight explicit, but vendor questionnaires often stop at feature lists instead of examining control boundaries.
Security teams should treat the evaluation as an architecture review, not a procurement checkbox. If the vendor manages prompts, policy enforcement, or tool execution, then identity risk lives in multiple layers and each layer needs independent evidence. Current guidance suggests looking for clear separation between model safeguards, workflow authority, and administrative access, alongside auditable logs for every identity action. NHIMG’s research on Ultimate Guide to NHIs and 52 NHI Breaches Analysis shows how quickly identity compromise becomes operational compromise when secrets and execution paths are blurred. In practice, many security teams discover that a vendor’s true risk only becomes visible after a failed incident review, not during the initial sales cycle.
How It Works in Practice
A practical evaluation starts by mapping three layers: the model layer, the workflow layer, and the identity layer. The model layer covers prompt handling, content filters, and safety rules. The workflow layer covers what the vendor’s system can actually do, such as reading directory data, approving requests, resetting passwords, or calling IAM APIs. The identity layer covers how the vendor proves its own service identity and how your team limits its permissions.
Ask for evidence in each layer, not broad assurances. For the model layer, request documentation showing how unsafe outputs are constrained. For the workflow layer, verify whether the vendor uses least privilege, short-lived credentials, and explicit approval gates before any identity change. For the identity layer, ask whether the service uses workload identity, such as OIDC-based service authentication or SPIFFE-style identities, rather than shared static secrets. This is especially important for identity operations because long-lived credentials make it harder to contain abuse if the vendor environment is compromised.
NIST Cybersecurity Framework 2.0 is useful here because it pushes teams toward governance, access control, and continuous monitoring rather than one-time trust decisions. The strongest vendor reviews also test auditability: every identity action should be attributable to a service, a policy decision, and a human approver when applicable. If a vendor cannot show that trail, it is difficult to prove where automation ends and delegated authority begins. The State of Secrets in AppSec is a useful reminder that weak secrets practices are common, and that confidence often exceeds actual control maturity. NIST Cybersecurity Framework 2.0 provides the governance structure to validate those claims.
- Separate what the vendor can recommend from what it can execute.
- Require short-lived, scoped credentials for every identity workflow.
- Verify audit logs include actor, policy decision, timestamp, and affected identity object.
- Demand proof that support staff cannot silently override production controls.
These controls tend to break down when the vendor uses shared admin accounts or opaque orchestration layers, because attribution and least privilege both fail at the same time.
Common Variations and Edge Cases
Tighter vendor control often increases integration overhead, requiring organisations to balance faster deployment against stronger containment. That tradeoff becomes sharper when the product spans multiple identity functions, such as governance, provisioning, and privileged access.
There is no universal standard for this yet, but best practice is evolving toward context-aware evaluation. A vendor may be acceptable for identity analytics or recommendation support while being too risky for direct execution. The key question is whether the vendor’s AI can influence decisions without owning the authority to carry them out. That distinction matters most in hybrid environments where some actions are automated and others still require human approval.
Edge cases include multi-tenant SaaS platforms, delegated admin models, and vendors that rely on customer-managed connectors. In those environments, teams should verify whether the connector runs under customer control, whether secrets are stored in the vendor platform or a customer vault, and whether policy changes are versioned and reversible. The Top 10 NHI Issues research is a useful reminder that weak ownership boundaries and poor rotation practices frequently coexist. The DeepSeek breach also illustrates how hidden data exposure can turn a capability discussion into an operational incident. Security teams should treat those cases as evidence that identity operations need separate approval, logging, and rollback paths, even when the vendor markets the product as autonomous.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Vendor safety reviews depend on governance and risk decisions across identity workflows. |
| OWASP Agentic AI Top 10 | A04 | AI vendors can blur model output with tool execution, a core agentic risk. |
| CSA MAESTRO | TR-02 | MAESTRO addresses trust boundaries and runtime controls for agentic systems. |
Classify each AI vendor by identity risk and require governance approval before granting execution authority.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org