Least privilege limits how much access one identity has, while separation of duties limits which identities can perform different steps in the model lifecycle. In practice, a team can still have least privilege and remain risky if the same account can train, register, and deploy a model. Both controls are needed for Vertex AI governance.
Why This Matters for Security Teams
least privilege and separation of duties solve different failure modes, and AI workloads expose both at once. Least privilege limits what a single workload identity can reach, while separation of duties limits which identities can train, approve, register, and deploy a model. When teams confuse them, they may harden one account and still leave the release path unsafe.
This matters most when AI systems are not just scoring data but taking actions. Autonomous workflows can chain tools, call APIs, and move from experimentation into production faster than human review cycles. Current guidance suggests that the real risk is not only excessive access, but also concentrated control across the model lifecycle. NHI governance becomes harder because the identity boundary is now a workload, an agent, or a pipeline step rather than a person. For background on workload identity, see the Guide to SPIFFE and SPIRE and the SPIFFE workload identity specification.
In practice, many security teams encounter model abuse only after a privileged pipeline account has already been used to register, promote, and deploy an unsafe artifact.
How It Works in Practice
Least privilege is an access-scope control. It asks: “What can this identity do right now?” Separation of duties is a workflow-integrity control. It asks: “Should the same identity be able to complete more than one critical step?” For AI workloads, both should be enforced across data ingestion, training, evaluation, model registry, deployment, and rollback.
A practical pattern is to give each stage a distinct workload identity and to issue just-in-time secrets only for the duration of a task. That reduces the blast radius of a compromised agent or CI/CD job. The best-practice direction is moving toward runtime authorization, not static trust. Policies are evaluated at request time, based on context such as environment, artifact signature, approval state, and the exact action requested. For zero trust framing, NIST SP 800-207 Zero Trust Architecture is the clearest baseline, while the OWASP Non-Human Identity Top 10 is useful for common NHI failure patterns.
In operational terms, teams should separate at least these functions:
- Data preparation cannot approve model promotion.
- Training jobs cannot edit production policies.
- Model registry access cannot also deploy to runtime.
- Evaluation results cannot be self-approved by the same identity that generated them.
- Secrets should be short-lived and bound to workload identity, not copied into long-lived shared accounts.
NHIMG research shows why this matters: the Ultimate Guide to NHIs — Key Challenges and Risks notes that machine identity failures are already common, and the Ultimate Guide to NHIs — What are Non-Human Identities is a useful primer for the identity model behind these controls. These controls tend to break down when one shared service account is used across CI/CD, registry operations, and production deployment because accountability and revocation both collapse.
Common Variations and Edge Cases
Tighter separation of duties often increases delivery overhead, requiring organisations to balance release speed against control integrity. That tradeoff is real, especially in small teams where the same engineers operate the pipeline and the model runtime.
There is no universal standard for this yet in every AI stack, so current guidance suggests starting with the highest-risk boundaries first. In regulated environments, that usually means splitting training from deployment, and deployment from policy approval. In faster-moving teams, a lighter version may rely on approval gates, signed artifacts, and runtime policy checks rather than fully separate human teams.
Edge cases matter. A research notebook may reasonably have broad access in a sandbox, but that access should not follow the model into production. An agentic workflow may need temporary expansion to fetch tools or call a customer system, but that expansion should be JIT, logged, and revoked automatically. For deeper standards context, see the Ultimate Guide to NHIs — Standards and, where agentic behavior is involved, the DeepSeek breach case study, which shows how quickly tool access can turn into systemic exposure when governance is weak.
For AI workloads, least privilege is the floor and separation of duties is the guardrail; organisations that stop at one usually discover the gap only after a deployment path has already been abused.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Least-privilege and secret scoping are core NHI protections for AI workloads. |
| OWASP Agentic AI Top 10 | A-04 | Agentic workflows need runtime controls that separate actions and approvals. |
| NIST AI RMF | AI RMF governance maps to accountability, access control, and lifecycle oversight. |
Define accountable owners for each AI lifecycle step and enforce review gates before release.
Related resources from NHI Mgmt Group
- What is the difference between secrets rotation and least privilege for AI workloads?
- What is the difference between privilege reduction and secret rotation?
- What is the difference between least privilege for humans and least privilege for AI agents?
- What is the difference between JIT access and least privilege for AI agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
