Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Sensitivity setting
Governance, Ownership & Risk

Sensitivity setting

← Back to Glossary
By NHI Mgmt Group Updated July 5, 2026 Domain: Governance, Ownership & Risk

A sensitivity setting is a control parameter that changes how aggressively a policy flags or blocks behaviour. In GenAI environments, it is effectively a risk-tolerance dial, balancing user friction against the chance of missing harmful prompts, outputs, or manipulative interactions.

Expanded Definition

Sensitivity setting is the configurable threshold that determines when a policy, detector, or guardrail should warn, rate-limit, escalate, or block. In agentic AI and NHI-adjacent controls, it functions as an operational risk-tolerance dial rather than a fixed security property. A higher setting catches more borderline behavior, while a lower setting reduces false positives and user friction, but can miss abusive prompts, unsafe outputs, or coercive interaction patterns. That tradeoff is why no single standard governs this yet; definitions vary across vendors, especially in moderation, fraud detection, and agent tool-use controls.

In practice, the term is used across prompt filtering, anomaly scoring, and workflow approvals, where the same control may need different sensitivity depending on the data classification, tool privileges, and blast radius of a mistaken action. For a standards baseline on control tuning and outcomes, NIST’s NIST Cybersecurity Framework 2.0 is a useful reference point for framing detection and response objectives. The most common misapplication is treating sensitivity setting as a universal safety guarantee, which occurs when teams assume one threshold works across all prompts, tools, and privilege levels.

Examples and Use Cases

Implementing sensitivity setting rigorously often introduces a genuine tradeoff between precision and operational friction, requiring organisations to weigh faster user workflows against stronger protection from harmful or manipulative behavior.

  • A customer support agent uses a higher moderation threshold for outbound replies so borderline policy violations are held for review before they reach customers.
  • An internal coding assistant applies a lower threshold for harmless refactoring suggestions, but increases sensitivity when it detects credential handling or deployment actions.
  • A security team tunes sensitivity to flag unusual agent tool calls, such as mass file reads or privilege changes, before they become irreversible actions.
  • An organisation calibrates a prompt-risk score differently for public users and employees with elevated access, reflecting the different impact of a false negative.
  • After reviewing lessons from the Ultimate Guide to NHIs, a team raises sensitivity for service-account workflows that can trigger secrets access or API fan-out.

These examples also align with broader guidance from the NIST Cybersecurity Framework 2.0, which encourages organisations to tune controls to business context rather than rely on static enforcement everywhere.

Why It Matters in NHI Security

Sensitivity setting matters because NHI security failures often begin as small missed signals: an unusual token request, a misrouted agent action, or a prompt that nudges a system toward excessive access. If the threshold is too permissive, risky automation can continue unnoticed; if it is too strict, administrators may disable the control or train users to ignore alerts. That is especially dangerous in environments where NHIs already outnumber human identities by 25x to 50x, and where 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to NHI Management Group’s Ultimate Guide to NHIs.

In governance terms, sensitivity setting becomes part of how teams operationalise detection, escalation, and containment across agents, secrets, and service accounts. The goal is not maximum blocking, but the right threshold for the asset and action involved. Organisations typically encounter the cost of a poor threshold only after a missed abuse case, at which point sensitivity setting becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10A2Threshold tuning affects how agentic systems detect unsafe prompts and actions.
NIST AI RMFRisk management guidance supports calibrating controls to context and impact.
NIST CSF 2.0DE.CM-1Continuous monitoring depends on thresholds that surface meaningful anomalies.

Set sensitivity based on use-case risk, then monitor whether the threshold reduces harm without blocking legitimate use.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org