Teams can see where sensitive data lives, but they still cannot stop the system from using it unsafely. Discovery is necessary, yet it does not prevent prompt leakage, unsafe retrieval, or downstream disclosure. Without runtime enforcement, classification becomes a map of risk rather than a control over behaviour.
Why This Matters for Security Teams
Data classification and discovery are valuable starting points, but they only tell security teams where sensitive information exists. They do not determine whether an AI system can retrieve, recombine, leak, or act on that information at runtime. For AI-enabled workflows, the risk is behavioural: a model can expose secrets through prompts, unsafe retrieval, or tool use even when the underlying data was correctly labelled.
This is why NHI governance has to extend beyond inventory into enforcement. NHIMG’s Top 10 NHI Issues treats credential exposure and uncontrolled access as lifecycle problems, not just classification problems. The same gap shows up in the Ultimate Guide to NHIs — Key Challenges and Risks, where discovery is shown to be necessary but insufficient without controls that limit what the workload can do with the data it finds.
Current guidance from the NIST Cybersecurity Framework 2.0 and the NIST AI Risk Management Framework points toward governance that is continuous, contextual, and enforceable at the point of use. In practice, many security teams only discover the failure after an agent has already copied sensitive data into an unsafe output or triggered an unauthorized downstream action.
How It Works in Practice
The operational failure is simple: classification answers “what is sensitive,” while ai governance must also answer “who or what may use it, under what conditions, and for which action.” When that second layer is missing, discovery tools create visibility without control. An agent, RAG pipeline, or automation service can still pull data from approved repositories, combine it with other context, and expose it through prompts, logs, tickets, or API calls.
Practitioners should shift from static data labelling to runtime policy enforcement. That means binding access to the workload identity, not only the user identity behind the workflow. In NHI terms, the critical control point is the execution context of the agent or service, not the tag on the document. The NHI Lifecycle Management Guide and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both emphasise that secrets, tokens, and machine identities must be issued, constrained, rotated, and revoked according to task boundaries.
- Use discovery to locate sensitive data, then enforce retrieval rules at query time.
- Apply least privilege to the AI workload itself, including connectors, agents, and downstream tools.
- Prefer short-lived credentials and just-in-time access over long-lived static secrets.
- Log and review the exact data path from source to model to output.
The practical architecture is usually policy-as-code with runtime evaluation, informed by AI risk policy in the NIST AI 600-1 Generative AI Profile and the NIST AI Risk Management Framework. These controls tend to break down when retrieval spans multiple ungoverned data stores because the model can still recombine approved fragments into an unsafe disclosure path.
Common Variations and Edge Cases
Tighter control often increases operational overhead, requiring organisations to balance stronger containment against model usefulness and delivery speed. That tradeoff becomes sharper in retrieval-heavy assistants, autonomous agents, and cross-domain workflows where the system needs broad context to be effective.
There is no universal standard for this yet, but current guidance suggests a layered approach: classify data, govern identity, and evaluate permissions at runtime. For high-risk deployments, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful for framing evidence requirements, while the DeepSeek breach illustrates how sensitive data exposure becomes materially worse when secrets and records are reachable outside intended controls.
Edge cases often appear in multi-tenant environments, shared vector databases, and agentic systems that chain tools. In those environments, classification can still support compliance reporting, but it does not stop prompt injection, unsafe retrieval, or overbroad connector permissions. The NIST AI Risk Management Framework is the better anchor for governance because it frames risk around impact, not just data location. Classification helps you find the asset; runtime control is what prevents the misuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime misuse often starts with stale or overbroad secrets. |
| OWASP Agentic AI Top 10 | Agent behaviour can bypass static data-focused governance. | |
| NIST AI RMF | AI RMF centres governance on risk, not just data discovery. |
Replace long-lived secrets with scoped, short-lived credentials and revoke them at task completion.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
