AI disclosure is the practice of documenting where AI tools and agents are used, what they can access, and who is accountable for their operation. It turns hidden or informal AI use into something governance, audit, and security teams can verify and review.
Expanded Definition
AI disclosure is the governance practice of making AI use visible enough for security, audit, and operational oversight to verify. In NHI and IAM environments, that means identifying where AI tools, copilots, and autonomous agents are deployed, what data and secrets they can reach, which systems they can act on, and which human or machine owner remains accountable. This is narrower than generic AI policy language and more operational than a public-facing AI statement.
Its meaning is still evolving across vendors and industries. Some teams treat disclosure as an inventory requirement, while others extend it into risk classification, change management, and runtime monitoring. For a practical baseline, organisations can anchor disclosure to the governance logic in the NIST Cybersecurity Framework 2.0 and then map AI-specific disclosures to access paths, secret exposure, and control ownership. NHI Management Group treats disclosure as a control enabler, not just a reporting exercise.
The most common misapplication is equating AI disclosure with a one-time register, which occurs when teams record a tool name but omit permissions, prompts, connected identities, and responsible owners.
Examples and Use Cases
Implementing AI disclosure rigorously often introduces governance overhead, requiring organisations to weigh visibility and accountability against the friction of maintaining current records as tools and permissions change.
- A security team inventories every internal agent, then records the service identity, secret source, and systems it can query so reviewers can trace behaviour during an incident.
- A product group discloses a customer support copilot that can draft replies but cannot send messages without human approval, reducing ambiguity around decision authority.
- An engineering team documents that a code assistant can access private repositories but not production credentials, aligning access with least privilege and review requirements.
- A compliance function tracks an AI workflow that touches regulated records and links it to ownership, retention, and logging controls before deployment.
- An incident response team uses disclosure records to determine whether an exposed token belongs to a human user, a workload, or an AI agent after suspicious activity is detected in the environment.
These patterns become clearer when read alongside the LLMjacking article, which shows how attackers exploit compromised NHIs to reach AI systems, and the identity handling guidance reflected in NIST Cybersecurity Framework 2.0. For a concrete breach example, the DeepSeek breach illustrates why undocumented AI access paths become difficult to contain.
Why It Matters in NHI Security
AI disclosure matters because undisclosed AI usage often hides the exact conditions that attackers exploit: overbroad access, shared secrets, unclear ownership, and systems that can act faster than governance can respond. When AI tools are invisible to inventory processes, they are also invisible to access reviews, logging expectations, and offboarding controls. That creates a direct NHI risk because an agent with a valid credential can behave like a trusted workload while still operating outside approved oversight.
NHI Management Group research shows how quickly exposed credentials can be weaponised: in the LLMjacking research, attackers attempted access to public AWS credentials in an average of 17 minutes. In parallel, the State of Secrets in AppSec findings show that only 44% of developers consistently follow secrets management best practices. Together, those conditions make undisclosed AI access especially dangerous because teams often learn about the exposure only after an AI-powered workflow has already touched sensitive systems.
Organisations typically encounter the operational cost of AI disclosure only after a secret leak, unauthorized model action, or incident review, at which point the disclosure record becomes unavoidable to reconstruct what the AI could access and who was responsible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI guidance stresses visibility into autonomous tools, permissions, and oversight. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | NHI governance centers on inventorying non-human identities and their access paths. |
| NIST CSF 2.0 | GV.OV-01 | Governance and oversight require organizations to understand technology use and accountability. |
Document each agent's access, actions, and human owner before allowing production use.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
