They should be able to show which identities can call Bedrock, which data classes they can access, where prompts and outputs are retained, and how often those permissions are reviewed. If those answers are unclear, governance is partial at best. Strong programmes can produce a current access map and an audit trail for the AI data path.
Why This Matters for Security Teams
Bedrock governance only “works” if it can be proven in the places that matter: identity, data, and logging. For teams running model-driven workloads, the question is not whether a policy exists, but whether it still holds when prompts, tools, and outputs move across services. Current guidance from NIST Cybersecurity Framework 2.0 and NHIMG’s analysis in Top 10 NHI Issues both point to the same reality: visibility is the control that separates governance from guesswork.
In Bedrock environments, weak governance usually shows up as over-broad service roles, unclear prompt retention, or missing evidence for who can invoke which model and for what data class. That gap is not just operational. It creates audit exposure, complicates incident response, and makes data handling impossible to defend under review. The organisation may believe it has RBAC in place, but without current entitlements and retention traces, it cannot show effective control.
Practitioners often discover this only after a privileged workload has already processed sensitive data without a clear ownership chain.
How It Works in Practice
Effective Bedrock governance starts with a living access map. That means identifying every human and non-human identity that can call Bedrock, the role or workload identity behind that access, and the specific models, data classes, and downstream systems each identity can reach. For agentic or automated use cases, static IAM alone is usually too blunt. Best practice is evolving toward intent-based authorisation, where access is evaluated at request time using context such as task type, dataset sensitivity, environment, and whether the action is still within policy.
That model is stronger when paired with short-lived credentials and explicit workload identity. JIT credentials reduce the value of stolen secrets, while ephemeral tokens and tight TTLs limit how long a Bedrock caller can act without re-authorisation. For autonomous systems, the control question is not “does this role exist?” but “can this workload prove what it is, what it is trying to do, and whether that action is still allowed?” That is why identity patterns such as SPIFFE or OIDC-style workload claims matter more than long-lived static keys.
- Record which identities can invoke Bedrock and which model endpoints they can reach.
- Classify prompts, retrieved context, and outputs so retention matches sensitivity.
- Use policy-as-code and runtime evaluation for high-risk calls instead of fixed allowlists alone.
- Review entitlements on a schedule and compare them with actual invocation logs.
NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Ultimate Guide to NHIs — Regulatory and Audit Perspectives are useful references for turning that map into a repeatable control set. For evidence quality, tie the control design to NIST Cybersecurity Framework 2.0 functions so detection, protection, and governance are measurable rather than assumed.
These controls tend to break down when Bedrock is embedded in multi-step agent workflows because downstream tool calls and cached context can outlive the original authorization decision.
Common Variations and Edge Cases
Tighter Bedrock control often increases operational overhead, requiring organisations to balance faster delivery against stronger evidence and review. That tradeoff becomes sharper in regulated environments, shared platform teams, and product squads that want fast iteration without waiting for manual approvals. There is no universal standard for this yet, so current guidance suggests using tiered control strength based on data sensitivity and workload autonomy.
One common edge case is prompt and output retention. Some teams log everything for forensic value, while others minimise retention to reduce exposure. The right answer depends on the data class, legal hold obligations, and whether logs contain sensitive context or secrets. Another edge case is agentic behaviour. If a workload can chain tools, retrieve data, and generate follow-on actions, then governance must account for behaviour that is not fully predictable at design time. That is where the distinction between human access reviews and workload access reviews matters.
NHIMG’s AI LLM hijack breach material is a useful reminder that indirect prompt paths and tool misuse can bypass assumptions about “safe” access. In parallel, the NIST view of governance stresses continuous measurement, not one-time approval. Security teams should therefore treat Bedrock governance as a control loop: prove access, verify retention, review drift, and re-test after every major model, role, or data-path change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Focuses on access and lifecycle control of non-human identities. |
| CSA MAESTRO | Addresses governance for autonomous AI workflows and tool use. | |
| NIST AI RMF | GOVERN | Govern function covers accountability and oversight for AI systems. |
Inventory Bedrock callers, rotate credentials, and verify every non-human identity has only needed access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
