What do organisations get wrong about adding AI to existing workflows?

Why This Matters for Security Teams

The mistake is not adding AI itself, but treating it like a cosmetic layer on top of an unchanged process. Once AI is embedded, the workflow starts pulling from new data sources, invoking tools, and making intermediate decisions that were never part of the original control design. That changes identity, access, logging, review, and rollback requirements at the same time. Current guidance suggests the right baseline is to govern the AI-enabled workflow as a distinct system boundary, not as a UI enhancement, consistent with the NIST Cybersecurity Framework 2.0 approach to managing risk across assets and dependencies.

This matters because AI can widen the attack surface before teams notice it. In the DeepSeek breach, exposed secrets and sensitive records showed how quickly AI-adjacent exposure becomes a governance problem, not just a model problem. The same pattern appears when AI is inserted into ticketing, code review, procurement, or customer support without redefining who can retrieve context, approve actions, or override the model. In practice, many security teams encounter the failure only after a production workflow has already leaked data or executed an unsafe action, rather than through intentional control testing.

How It Works in Practice

Security teams usually get better results when they map the AI-enabled workflow as a chain of identities and decisions. That means identifying what data the model can retrieve, what tools it can call, what prompts or agent instructions it can inherit, and what human approval gates remain mandatory. Where AI is acting autonomously, static RBAC alone is too blunt: a role might say “support analyst,” but the system also needs runtime checks on intent, context, and risk before a tool invocation is allowed. That is where policy-as-code and runtime authorisation become more useful than prewritten access matrices.

Practically, teams should separate three layers: the user identity, the workload identity, and the action permission. Workload identity can be established through cryptographic proof of the service or agent instance, while just-in-time credentials and ephemeral secrets reduce the blast radius if a workflow is hijacked. The DeepSeek breach is a reminder that embedded secrets and exposed infrastructure can turn an AI integration into a credential exposure event. For implementation guidance, the NIST Cybersecurity Framework 2.0 is useful for tying the new access surface back to asset inventory, monitoring, and recovery.

• Give the AI workflow its own inventory entry, owner, and risk classification.
• Use short-lived credentials for each task, not standing access for the whole agent or integration.
• Require approval for high-impact actions, even when the model has already generated a recommended step.
• Log retrievals, tool calls, and outputs as separate events so reviewers can reconstruct the decision path.

Frameworks such as NIST Cybersecurity Framework 2.0 and NIST Cybersecurity Framework 2.0 style control mapping help, but the control set only works if the organisation treats AI outputs as operational actions, not suggestions. These controls tend to break down when the workflow is stitched together from many SaaS tools with shared API keys and no single policy enforcement point because authorisation becomes fragmented across systems.

Common Variations and Edge Cases

Tighter control often increases latency and review overhead, so organisations have to balance speed against the cost of preventing a bad action before it lands. That tradeoff is especially visible in high-volume service desks, developer productivity tools, and customer-facing copilots, where the business wants AI to move quickly but also wants deterministic governance. Best practice is evolving, but there is no universal standard for how much autonomy is acceptable in each workflow, so the answer depends on the impact of the action and the sensitivity of the data involved.

One common edge case is partial automation. A system may only draft an email, triage a ticket, or summarise a case, yet still access records that should be restricted. Another is agentic escalation, where an AI system chains low-risk tools into a high-risk outcome. This is why NHI and agentic controls must include secrets hygiene, runtime policy evaluation, and explicit limits on tool chaining, not just prompt filtering. The DeepSeek breach shows how fast embedded AI can amplify a secrets problem, while the NIST Cybersecurity Framework 2.0 remains the clearest external anchor for structuring the monitoring and response side of that risk.

For governance programmes, the practical rule is simple: if AI can read, retrieve, recommend, or act, then the workflow needs explicit identity, approval, and audit controls at each step. Anything less leaves organisations with a faster process that is harder to trust.

Related resources from NHI Mgmt Group

• What do organisations get wrong about AI safety and access control?
• What do security teams get wrong about coarse consent for AI agents?
• What do security teams get wrong about AI agent identity governance?
• What do security teams get wrong about OAuth scopes for AI agents?