Because support flows often combine authenticated browsers, cookies, and human escalation inside one conversation. If the chatbot can influence page content or external requests, bearer tokens may be exposed. The risk grows when the same session context moves from bot to human without revalidation.
Why This Matters for Security Teams
Customer support chatbots are not just conversational interfaces. They often sit inside authenticated web sessions, inherit browser state, and trigger account changes, refunds, resets, or escalation to a live agent. That makes them a session boundary problem, not just a chatbot problem. When a bot can shape page content, call tools, or pass context into a human workflow, it can also become a path to bearer token exposure and session misuse.
This risk is easiest to miss in flows that look harmless on the surface, especially when teams assume the chatbot is “only reading” or that the browser will safely separate bot actions from user actions. In practice, support journeys often reuse cookies, local storage, one-time links, and internal APIs in ways that were never designed for conversational orchestration. NHI Management Group has documented how identity failures around autonomous or semi-autonomous systems show up late in the attack path, not at design time, as seen in the OmniGPT Breach — 34M Conversations Exposed and the Meta AI Instagram Account Takeover.
Current guidance from NIST Cybersecurity Framework 2.0 and the OWASP NHI Top 10 points to the same issue: once identity and session state are mixed across bot, browser, and agent handoff, the blast radius expands quickly. In practice, many security teams encounter session theft only after an escalation path has already reused the wrong context.
How It Works in Practice
The risk appears when a chatbot shares trust with the customer browser session or with support tooling that accepts the chatbot’s output as if it were user-authored. A prompt injection, malicious link, or crafted support request can persuade the bot to reveal information, navigate to sensitive pages, or trigger an action that exposes session material. If the support system stores tokens in the browser, returns secrets in hidden fields, or allows the bot to generate content that the browser later executes, the conversation itself becomes an attack surface.
Better designs separate the chatbot from the authenticated session and treat the bot as an untrusted workload. That usually means:
- Keeping the customer session and chatbot session distinct, even when they appear in the same support flow.
- Using short-lived, scoped tokens for any bot-to-backend action instead of reusing the customer’s bearer token.
- Revalidating identity before privileged steps such as password resets, payout changes, or account recovery.
- Preventing the bot from directly emitting executable content, sensitive URLs, or token-bearing requests.
- Logging the handoff path so support agents can see when context moved from automation to human review.
This is where identity governance and web security overlap. The question is not whether the chatbot can “see” the session, but whether it can influence the authenticated surface that owns the session. The Top 10 NHI Issues and Ultimate Guide to NHIs both emphasise that secrets and delegated access become brittle when a non-human system is allowed to act inside a human trust boundary. For control design, NIST SP 800-53 Rev 5 Security and Privacy Controls supports access restriction, session protection, and auditability, but the implementation has to be adapted to conversational workflows. These controls tend to break down when support bots can directly initiate authenticated browser actions in legacy portals because the portal assumes every request came from a human in control of the tab.
Common Variations and Edge Cases
Tighter session controls often increase support friction, requiring organisations to balance fraud resistance against drop-off in legitimate customer journeys. That tradeoff is especially visible in high-volume support, where teams want frictionless escalation and fast resolution.
There is no universal standard for this yet, but current guidance suggests treating these as separate patterns: informational chatbot, transactional assistant, and authenticated human support. A low-risk FAQ bot may never need access to session state. A billing assistant may need a short-lived token with narrow scope. A recovery workflow should usually force step-up authentication before any irreversible change. The more the bot can chain actions, the more important it becomes to issue ephemeral credentials, limit tool scope, and validate each step in real time.
Edge cases are common in federated support environments, where third-party chat widgets, outsourced contact centres, and identity-provider redirects all touch the same user journey. The danger is not only token theft but context confusion, where the human agent inherits a bot-established session and assumes it was already revalidated. That pattern shows up in the kinds of support and identity failures covered by NHIMG research on the McDonald's McHire AI Chatbot Default Credentials and the 2024 ESG Report: Managing Non-Human Identities. In mixed human-bot support stacks, the failure point is often the handoff, because the system preserves convenience while silently preserving trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic flows can expose sessions through tool use and prompt injection. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Supports limiting non-human access and reducing token exposure in support flows. |
| CSA MAESTRO | CT-2 | Covers runtime control of agent actions and escalation paths. |
| NIST AI RMF | GOVERN | AI governance is needed when support bots can affect authenticated flows. |
| NIST CSF 2.0 | PR.AC-4 | Supports access restriction and session protection for support workflows. |
Assign ownership, review risk, and define approval gates for chatbot interactions with identity data.
Related resources from NHI Mgmt Group
- Why do repository compromises create a wider security risk than code theft alone?
- Why do support systems create identity and trust risk even without account compromise?
- Why do AI agents create new risk for credential harvesting and intrusion workflows?
- Why do OAuth-connected support tools create elevated NHI risk?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org