Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Model Selection Policy
Governance, Ownership & Risk

Model Selection Policy

← Back to Glossary
By NHI Mgmt Group Updated June 20, 2026 Domain: Governance, Ownership & Risk

Model selection policy is the set of rules that determines which model can handle a request and under what conditions. It should account for sensitivity, cost, regulatory exposure, and logging requirements so routing does not become an unmanaged access path.

Expanded Definition

Model selection policy is the decision layer that assigns a request to a specific model based on sensitivity, permitted tool use, cost, latency, jurisdiction, and logging obligations. In NHI and agentic AI governance, it is not just a routing rule. It is an access-control decision for which model may process which data, under what oversight, and with what evidentiary trail. That makes it operationally adjacent to least privilege, data classification, and workload segmentation.

Definitions vary across vendors, especially where platforms blur together model routing, prompt filtering, and policy enforcement. NHI Management Group treats model selection policy as a control boundary, not a convenience feature. When implemented well, it helps prevent high-risk data from reaching lower-assurance models and reduces the chance that an agent can silently escalate into a broader execution path. For context on how identity and access failures compound across machine identities, see Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0.

The most common misapplication is treating model selection as a cost-saving toggle, which occurs when teams route requests by price alone and ignore data sensitivity, auditability, or jurisdictional constraints.

Examples and Use Cases

Implementing model selection policy rigorously often introduces operational friction, requiring organisations to weigh speed and lower inference cost against governance, traceability, and risk containment.

  • A customer-support agent handling public FAQs is routed to a low-cost general model, while anything containing account identifiers is forced to a higher-assurance model with stricter logging.
  • A finance workflow uses a regional model only when the request includes regulated records, because data residency rules and audit retention are part of the selection criteria.
  • An internal coding assistant is allowed to use broader tooling for non-sensitive refactoring, but secret-bearing prompts are blocked or redirected before any model sees them.
  • During high-risk incident response, a policy selects a deterministic, fully logged model path so investigators can reconstruct what data was processed and why.
  • NHI governance teams use the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs to align model routing with service account lifecycle controls, and map those decisions to NIST Cybersecurity Framework 2.0 expectations for controlled access.

In practice, model selection policy is often paired with prompt classification, secret detection, and policy-as-code enforcement so routing decisions happen before an agent can act on a request.

Why It Matters in NHI Security

Model selection policy matters because the model itself becomes part of the trust boundary. If a low-assurance model can process regulated data, generate tool calls, or emit unreviewed outputs, the organisation has created an unmanaged access path that is hard to detect after the fact. That is especially dangerous in NHI environments where service accounts, API keys, and agent credentials can be overprivileged and widely distributed.

The risk is not theoretical. NHI Management Group reports that 71% of NHIs are not rotated within recommended time frames, and routing weaknesses can amplify the blast radius when those identities are used by autonomous agents. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives highlights why auditability must be built into selection decisions, not added later. Model choice should therefore reflect governance, not just performance.

Organisations typically encounter the consequences only after a data exposure, policy violation, or incident review, at which point model selection policy becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Covers agent routing and tool-use controls that model selection policy helps constrain.
NIST CSF 2.0PR.AC-4Least-privilege access principles apply when selecting which model may handle a request.
NIST AI RMFAI risk management requires controlled deployment decisions, including model choice by context.

Gate model access by sensitivity and tool authority before an agent can execute requests.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.