Start by governing the model’s access path, not just the application wrapper. Limit what the LLM can read, what it can output, and what actions it can initiate. Then add runtime controls for prompt filtering, data loss prevention, and approval gates so adoption can continue without turning every session into an uncontrolled trust decision.
Why This Matters for Security Teams
LLM governance fails when it is treated as a model-only problem. Security teams are usually trying to preserve adoption while reducing the chance that an LLM can read too much, expose too much, or trigger actions beyond its intended scope. That means the real control plane is the access path: prompts, retrieval, tool use, output handling, and approvals. Guidance from the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both point toward runtime controls, not static trust.
This matters because LLM deployments often spread faster than governance can be written. NHIMG research on AI Agents: The New Attack Surface shows a large visibility gap across compliance, legal, and executive stakeholders, which is exactly where governance breaks down in practice. Teams that only secure the chatbot interface usually miss the connectors, plugins, memory stores, and downstream systems that actually create risk. In practice, many security teams encounter data exposure only after an assistant has already queried the wrong source or taken an unintended action, rather than through intentional approval.
How It Works in Practice
The practical approach is to govern LLMs by layer, with least privilege and runtime decisioning at each step. Start by defining what the model can read, which data classes are in scope, which tools it can call, and which outputs require review. Then make those decisions dynamic. Current best practice is evolving toward policy-as-code enforcement at request time, using context such as user role, data sensitivity, session purpose, and destination system. That aligns well with the runtime control philosophy in NIST AI Risk Management Framework and the threat-focused guidance in CSA MAESTRO agentic AI threat modeling framework.
A workable implementation usually includes:
- Prompt and input filtering to block obvious exfiltration attempts, prompt injection, and unsafe instructions.
- Data loss prevention on outputs, especially where the model can summarize regulated or confidential content.
- Scoped retrieval controls so the model only sees approved knowledge sources and document subsets.
- Approval gates for high-risk actions such as sending email, changing records, or initiating transactions.
- Short-lived credentials and session-based authorization for any tool use that reaches external systems.
For agentic workloads, the model should be treated as a workload identity, not a human proxy. That means the authentication layer should prove what the agent is and what task it is executing, while the authorization layer decides whether that specific action is allowed right now. NHIMG’s OWASP NHI Top 10 and the related Analysis of Claude Code Security both reinforce that tool access and credential handling are where governance becomes operational. These controls tend to break down when legacy applications force shared service accounts or broad API tokens because runtime policy cannot safely constrain a credential that already has excessive standing privilege.
Common Variations and Edge Cases
Tighter governance often increases friction, so organisations have to balance developer speed against the cost of deeper review and more policy checks. That tradeoff is real, and current guidance suggests starting with risk-tiered controls rather than applying the same gate to every use case. Low-risk summarization may only need basic redaction and logging, while actions that can move money, modify records, or expose regulated data need stronger approval.
One common edge case is internal copilots that look harmless but quietly connect to high-value systems through retrieval or plugins. Another is delegated agent workflows, where one model calls another and the control boundary becomes harder to trace. There is no universal standard for this yet, but best practice is to require explicit policy boundaries for each tool, data source, and downstream action, then log the full chain of decisioning for auditability. For teams trying to understand real-world failure modes, NHIMG’s McKinsey AI platform breach is a useful reminder that platform convenience can outrun governance very quickly. Teams that delay these controls until after broad rollout usually discover the weakest point only after the model has already crossed a trust boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic apps need runtime controls for tool use and output safety. |
| CSA MAESTRO | M-3 | MAESTRO covers threat modeling for agent workflows and tool chains. |
| NIST AI RMF | AI RMF frames governance, measurement, and monitoring for AI risk. |
Constrain prompts, tools, and outputs with request-time policy checks before allowing any action.
Related resources from NHI Mgmt Group
- How should security teams replace standing access without slowing down work?
- How should security teams implement just-in-time access without creating too much friction?
- How should security teams implement DSPM without overwhelming operations?
- How should security teams narrow SOC 2 scope without weakening access governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
