Jason Elrod, CISO at MultiCare Health System, has a habit of naming precisely the things most security leaders spend their careers circling around. When we sat down to talk through how he is thinking about AI security inside one of the country's largest health systems, a few things landed hard.
AI hygiene is a discipline that governs how people, systems, and processes interact with AI tools by covering what AI is in use, by whom, with what data, under what access controls, and with what accountability for outcomes. Most enterprises have mature frameworks for vulnerability management, identity governance, and data classification. Almost none have an equivalent practice for AI. That gap is not theoretical. It is operational, and it compounds every quarter that agents run without a defined accountability structure.
The framing Jason proposed, AI hygiene, fills a specific gap. Policy review meetings and deployment checklists address the moment of approval. They do not address what happens at 2 AM when no one is watching and a model is still making decisions. Most organizations have no answer for that. Vulnerability management has patch cycles and severity scoring. Identity governance has joiner-mover-leaver workflows. AI governance, for most enterprises, has a sign-off document and an assumption that the approved tool will behave as expected indefinitely.
That assumption is where risk accumulates.
Jason laid out a foundation that has held up since before AI entered the picture: data is the asset, identity is the perimeter, and the context and classification of that data determines the controls. Organizations that do that well, he said, are ahead of the majority of their peers.
The problem is that most security programs are built entirely around human identities, with service accounts and API keys managed at the edges. What most still struggle with is governing non-human identities that are nondeterministic. An AI agent is not a cron job. It does not follow a fixed path from input to output. It makes decisions autonomously, and the identity governance frameworks built for human users and static service accounts were not designed to evaluate that kind of behavior.
The gap compounds every time an agent is provisioned without a defined owner, a scoped permission set, or a feedback loop to detect when its behavior drifts from its original purpose.
Shadow AI is not only employees using personal ChatGPT accounts on their work laptops. It is also the SaaS tool your organization approved three or four years ago that quietly shipped AI capabilities inside a product update cycle. You never reviewed the AI component specifically. You never approved what it could do with your data. But now it is in your environment, processing sensitive information, and your existing controls were not designed for what it is doing.
The question most security programs ask is: what unauthorized AI are people using? The question they are not asking is: what AI capabilities have entered my environment through things I already said yes to, and do I have any visibility into what those capabilities are actually doing?
Both questions need an answer.
Traditional DLP and CASB controls were built for a deterministic world. Data lived here, traveled via this path, arrived there. The tooling sat in the middle, inspected the transaction, and applied the control.
Nondeterministic agents break that model at the architectural level. The data path is not fixed in advance. An agent working toward a goal might decide the most efficient route involves pulling from a system, routing through a tool call, or enlisting another agent, none of which crosses the wire in the way traditional controls expect.
Jason made this concrete with a demonstration he ran at a large software company. The organization was confident their CASB and DLP controls were in place. He prompted an agent to find a workaround. Through agent-to-agent communication, it did. Everything happened server-side, outside the sight lines of every perimeter control the organization had invested in.
The answer is not to abandon those controls. It is to complement them with something that can evaluate intent and behavior at the agent layer, with full context, not just at the network edge. OWASP's Top 10 for Agentic Applications documents the specific failure modes this creates, including unsafe tool execution, insecure memory, and agent-to-agent trust abuse, and is a useful reference for security architects designing controls for this surface.
Jason keeps returning to five questions that form the practical foundation of AI hygiene. They map closely to the govern and measure functions in NIST's AI Risk Management Framework, applied at the agent level rather than the program level.
At Opsin, across our enterprise customer base, we see teams that can answer questions one and two reasonably well by the time they engage us. Questions three through five are almost universally underdeveloped. Culligan, for example, came in with strong perimeter controls and found that 80% of Copilot queries were surfacing sensitive data they had no visibility into. The accountability and drift detection questions had no answer until they had a baseline to measure against.
The relationship between security governance and business velocity is worth addressing directly because it comes up in almost every CISO conversation I have.
Jason offered an analogy that I have been using ever since. Picture a four-lane road with no lines, no lights, no divider, no posted speed limit, and no defined direction of travel. Put hundreds of people on it. How fast does anyone actually move? Not fast. Everyone self-constrains under uncertainty. They slow down because they do not know what is coming at them.
Now add the infrastructure: lanes, lights, guardrails, a cement divider. What happens? People move faster, more predictably, with less hesitation. The constraints create the conditions for speed.
The same logic applies to AI deployment inside an enterprise. When there are no guardrails, teams slow down or diverge. When the governance structure is coherent, with approved tooling, clear permissions, and defined accountability, teams can move. Security stops being the department of no and becomes the infrastructure that makes yes sustainable.
As Jason put it: security is not here to drive the car for you, or to put you on a bicycle with armor on it. We are here to build the highway.
Agents have a role, access, and a defined scope of action. They should have a place on something like an org chart, with role-based access controls that match their actual function and a named owner who is accountable for their behavior.
If you would not onboard a thousand human employees in a month without identity governance, background checks, and a clear accountability structure, the same standard should apply to agents. The volume and speed at which enterprises are provisioning AI agents right now makes that discipline more urgent, not less.
The security teams getting ahead of this are the ones treating agent governance as an identity problem first and an AI problem second. That framing gives them existing infrastructure to build on, existing workflows to extend, and a much cleaner answer when the audit question arrives.
AI hygiene is the discipline of governing how people, systems, and processes interact with AI tools, covering what AI is in use, by whom, with what data, under what access controls, and with what accountability for outcomes. Existing frameworks like vulnerability management and identity governance address predictable, deterministic systems. AI agents are nondeterministic: they make autonomous decisions, accumulate permissions over time, and can behave differently than they were originally configured without triggering any existing control. That behavioral dimension falls outside what most current frameworks were built to evaluate.
AI agents are non-human identities that behave fundamentally differently from service accounts or API keys. They do not follow fixed input-to-output paths. They make decisions autonomously, can invoke other agents, and can expand their effective scope without explicit reauthorization. Identity governance frameworks built for human users and static service accounts were not designed to evaluate that kind of behavior, which means most enterprises are governing the provisioning moment but not the ongoing operational risk.
DLP and CASB controls were designed for deterministic data flows where data travels a predictable path between systems. Agentic AI breaks that model because agents decide their own routes: which systems to query, which tools to invoke, which sub-agents to enlist. That activity typically occurs server-side and never crosses the network edge where perimeter controls are positioned. OWASP's Top 10 for Agentic Applications documents the specific failure modes this creates, including unsafe tool execution and agent-to-agent trust abuse.
The five questions, which map to the govern and measure functions of NIST's AI Risk Management Framework at the agent level, are: What AI systems are in production and who authorized them? What is each system authorized to do autonomously? Who is accountable when an AI output causes harm? How would you know if an AI system started behaving differently than intended? And if your AI outputs were audited tomorrow, could you explain the basis for every decision? Organizations that cannot answer all five have unresolved governance gaps that will become audit findings.
Governance constraints accelerate AI adoption when they are designed well. An ungoverned environment forces every team to self-constrain under uncertainty because no one knows what is allowed, what is safe, or who is accountable. A coherent governance structure, with approved tooling, clear permissions, and defined accountability, removes that friction. Teams move faster when the infrastructure is in place, not slower. The security function's role is not to limit what AI can do but to build the conditions under which the organization can scale it confidently.
Jason Elrod, CISO at MultiCare Health System, has a habit of naming precisely the things most security leaders spend their careers circling around. When we sat down to talk through how he is thinking about AI security inside one of the country's largest health systems, a few things landed hard.
AI hygiene is a discipline that governs how people, systems, and processes interact with AI tools by covering what AI is in use, by whom, with what data, under what access controls, and with what accountability for outcomes. Most enterprises have mature frameworks for vulnerability management, identity governance, and data classification. Almost none have an equivalent practice for AI. That gap is not theoretical. It is operational, and it compounds every quarter that agents run without a defined accountability structure.
The framing Jason proposed, AI hygiene, fills a specific gap. Policy review meetings and deployment checklists address the moment of approval. They do not address what happens at 2 AM when no one is watching and a model is still making decisions. Most organizations have no answer for that. Vulnerability management has patch cycles and severity scoring. Identity governance has joiner-mover-leaver workflows. AI governance, for most enterprises, has a sign-off document and an assumption that the approved tool will behave as expected indefinitely.
That assumption is where risk accumulates.
Jason laid out a foundation that has held up since before AI entered the picture: data is the asset, identity is the perimeter, and the context and classification of that data determines the controls. Organizations that do that well, he said, are ahead of the majority of their peers.
The problem is that most security programs are built entirely around human identities, with service accounts and API keys managed at the edges. What most still struggle with is governing non-human identities that are nondeterministic. An AI agent is not a cron job. It does not follow a fixed path from input to output. It makes decisions autonomously, and the identity governance frameworks built for human users and static service accounts were not designed to evaluate that kind of behavior.
The gap compounds every time an agent is provisioned without a defined owner, a scoped permission set, or a feedback loop to detect when its behavior drifts from its original purpose.
Shadow AI is not only employees using personal ChatGPT accounts on their work laptops. It is also the SaaS tool your organization approved three or four years ago that quietly shipped AI capabilities inside a product update cycle. You never reviewed the AI component specifically. You never approved what it could do with your data. But now it is in your environment, processing sensitive information, and your existing controls were not designed for what it is doing.
The question most security programs ask is: what unauthorized AI are people using? The question they are not asking is: what AI capabilities have entered my environment through things I already said yes to, and do I have any visibility into what those capabilities are actually doing?
Both questions need an answer.
Traditional DLP and CASB controls were built for a deterministic world. Data lived here, traveled via this path, arrived there. The tooling sat in the middle, inspected the transaction, and applied the control.
Nondeterministic agents break that model at the architectural level. The data path is not fixed in advance. An agent working toward a goal might decide the most efficient route involves pulling from a system, routing through a tool call, or enlisting another agent, none of which crosses the wire in the way traditional controls expect.
Jason made this concrete with a demonstration he ran at a large software company. The organization was confident their CASB and DLP controls were in place. He prompted an agent to find a workaround. Through agent-to-agent communication, it did. Everything happened server-side, outside the sight lines of every perimeter control the organization had invested in.
The answer is not to abandon those controls. It is to complement them with something that can evaluate intent and behavior at the agent layer, with full context, not just at the network edge. OWASP's Top 10 for Agentic Applications documents the specific failure modes this creates, including unsafe tool execution, insecure memory, and agent-to-agent trust abuse, and is a useful reference for security architects designing controls for this surface.
Jason keeps returning to five questions that form the practical foundation of AI hygiene. They map closely to the govern and measure functions in NIST's AI Risk Management Framework, applied at the agent level rather than the program level.
At Opsin, across our enterprise customer base, we see teams that can answer questions one and two reasonably well by the time they engage us. Questions three through five are almost universally underdeveloped. Culligan, for example, came in with strong perimeter controls and found that 80% of Copilot queries were surfacing sensitive data they had no visibility into. The accountability and drift detection questions had no answer until they had a baseline to measure against.
The relationship between security governance and business velocity is worth addressing directly because it comes up in almost every CISO conversation I have.
Jason offered an analogy that I have been using ever since. Picture a four-lane road with no lines, no lights, no divider, no posted speed limit, and no defined direction of travel. Put hundreds of people on it. How fast does anyone actually move? Not fast. Everyone self-constrains under uncertainty. They slow down because they do not know what is coming at them.
Now add the infrastructure: lanes, lights, guardrails, a cement divider. What happens? People move faster, more predictably, with less hesitation. The constraints create the conditions for speed.
The same logic applies to AI deployment inside an enterprise. When there are no guardrails, teams slow down or diverge. When the governance structure is coherent, with approved tooling, clear permissions, and defined accountability, teams can move. Security stops being the department of no and becomes the infrastructure that makes yes sustainable.
As Jason put it: security is not here to drive the car for you, or to put you on a bicycle with armor on it. We are here to build the highway.
Agents have a role, access, and a defined scope of action. They should have a place on something like an org chart, with role-based access controls that match their actual function and a named owner who is accountable for their behavior.
If you would not onboard a thousand human employees in a month without identity governance, background checks, and a clear accountability structure, the same standard should apply to agents. The volume and speed at which enterprises are provisioning AI agents right now makes that discipline more urgent, not less.
The security teams getting ahead of this are the ones treating agent governance as an identity problem first and an AI problem second. That framing gives them existing infrastructure to build on, existing workflows to extend, and a much cleaner answer when the audit question arrives.
.png)
