Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How should security teams govern AI-driven customisation without…
Governance, Ownership & Risk

How should security teams govern AI-driven customisation without losing control?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 9, 2026 Domain: Governance, Ownership & Risk

Security teams should govern AI-driven customisation by treating generated code, workflows, and access paths as managed assets with explicit ownership and policy checks. The goal is not to suppress customisation, but to prevent it from creating blind spots in identity, logging, and review processes. If the control model only works for standardised environments, it will fail as AI increases variance.

Why This Matters for Security Teams

AI-driven customisation changes more than the interface layer. It can generate code, modify workflows, create service accounts, and introduce new access paths faster than review processes can keep up. That creates an identity and logging problem, not just a development problem. NHIMG research on the State of Non-Human Identity Security shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which is a warning sign for any environment where software can spin up new identities on demand.

The main mistake is assuming customisation is safe if the underlying platform is approved. In practice, AI can produce bespoke paths that bypass standard change control, inherit excessive permissions, or leave behind unmanaged secrets. Security teams should treat every generated asset as part of the control surface, with ownership, review, and revocation requirements from the start. Guidance from the NIST Cybersecurity Framework 2.0 reinforces that governance must be continuous, not limited to initial approval. In practice, many security teams encounter AI-driven drift only after an over-privileged workflow or leaked secret has already been used in production.

How It Works in Practice

Governance works best when AI-generated code and workflows are treated as managed non-human identities with explicit lifecycle controls. That means each generated asset needs an owner, a purpose, a policy boundary, and a revocation path. The operating model should also distinguish between the tool that generated the change and the identities that the change creates or touches. NHIMG’s Top 10 NHI Issues is useful here because it frames the common failure pattern: unmanaged sprawl, weak visibility, and over-privilege.

A practical workflow usually includes:

  • Pre-deployment policy checks for code, infrastructure, and access changes before merge or release.
  • Asset registration so generated workflows and service identities are visible in inventory and review queues.
  • JIT credential issuance for AI-created access paths, with short TTLs and automatic revocation after task completion.
  • Secrets scanning and rotation for tokens, API keys, and certificates introduced by generated output.
  • Logging that binds actions to both the human approver and the machine identity that executed the change.

For control design, current guidance suggests using policy-as-code and continuous verification rather than relying on static approvals. The NIST SP 800-53 Rev 5 Security and Privacy Controls supports this approach through access control, audit, and configuration management expectations. Security teams should also align generated assets with the lifecycle thinking in NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, because creation without retirement is where customisation becomes exposure. These controls tend to break down when AI is allowed to create production-facing identities outside the same review and revocation pipeline used for standard deployments.

Common Variations and Edge Cases

Tighter governance often increases delivery friction, requiring organisations to balance speed against assurance. That tradeoff is real, especially when product teams rely on AI to prototype quickly or customise customer-specific workflows. Best practice is evolving, but there is no universal standard for when a generated workflow becomes a separately governed asset versus a normal code change. Security teams should document that threshold explicitly and apply it consistently.

Edge cases usually appear in three places. First, low-code and no-code platforms can hide identity creation behind benign-looking automation. Second, agentic assistants may chain actions across tools, creating access paths that were never approved as a single request. Third, inherited secrets and service permissions can persist long after the original customisation is retired. In these cases, the main control question is not whether the AI output is useful, but whether the organisation can still explain who owns it, what it can touch, and how it is revoked. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is especially relevant when audit teams need evidence that generated assets are not escaping oversight. The cleanest programmes use the same policy gates for AI-generated customisation as for any other privileged change, while allowing faster paths only where the risk has been explicitly accepted.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Generated workflows often create unmanaged non-human identities and secrets.
OWASP Agentic AI Top 10A-03AI customisation can create autonomous actions and tool access outside review.
CSA MAESTROM1MAESTRO addresses governance for agentic workflows and tool-connected AI systems.
NIST AI RMFGOVERNAI RMF governance is needed to assign accountability for generated customisation.
NIST CSF 2.0PR.AC-4Least-privilege access is essential when AI creates new access paths.

Define ownership, approval, and revocation for every AI-generated workflow and action path.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org