How to Govern OpenAI Access While Enforcing Least Privilege: Three Enterprise Perspectives

Generative AI is increasingly integrated into critical enterprise workflows, raising significant governance and security concerns related to non-human identities, such as service accounts and automation bots, which often outnumber human users significantly. These unmanaged identities pose substantial risks, such as data breaches and compliance issues, due to over-permissioned roles and untracked access, which are underscored by warnings from organizations like CrowdStrike and Google Cloud. Enterprises struggle to manage this identity sprawl effectively, with challenges in proving compliance and applying the principle of least privilege (PoLP) to prevent unauthorized access to sensitive data or AI models. Modern identity governance tools, like Veza, aim to address these issues by providing visibility into who can perform specific actions within AI systems, automating access reviews, and ensuring audit-proof governance, thereby helping organizations maintain compliance with frameworks such as SOX, PCI DSS, NIST 800-53, and ISO 27001.