SSO and MFA for Enterprise AI Platforms

What it constrains

SSO and MFA connect approved AI platforms to the organization’s identity control plane. They reduce account takeover risk and make AI use visible through joiner, mover, leaver, and access-review processes.

Implementation

• Prefer enterprise accounts over personal accounts.
• Require MFA for users and administrators.
• Use role-based access where the tool supports it.
• Review privileged roles, inactive users, and external collaborators.
• Align AI platform access with procurement and the Approved AI Tool Register.

Owner

Identity and access management should own technical enforcement. The AI tool owner should own role design and business justification.

Evidence

• SSO configuration.
• MFA enforcement records.
• Admin and privileged-role review.
• User lifecycle integration.
• Register entry linking the tool to identity requirements.

Common errors

• Approving enterprise AI use while employees continue using personal accounts.
• Enforcing SSO for users but not administrators.
• Ignoring uploaded files, chat history, and prompt logs during access reviews.
• Allowing shared accounts for convenience.

Related risks

• Shadow AI
• Sensitive Data Disclosure
• Excessive Agency