Associated Risks, Controls, and Mitigation Strategies

While AI agents and large language models (LLMs) offer significant benefits, their use can introduce additional risks to organizations. This topic is intended for both end users who will interact with AI agents and account administrators responsible for configuring NetSuite and managing this technology within the organization.

This topic outlines the key risks associated with the use of external AI agents and LLMs, security controls available in NetSuite, and suggest mitigation strategies. Note that this list may not be exhaustive or universally applicable, as both technology and associated risks continue to evolve.

Risks

The following are some of the key risks inherent to the use of LLMs:

Both prompt injection and hallucination can result in:

Controls in NetSuite

Prompt injection and hallucination are LLM weaknesses and out of NetSuite control. Although NetSuite cannot eliminate these risks, it offers controls that account administrators and end users can use to reduce the impact of these risks.

Enabling External AI Agents in NetSuite

By default, the use of external AI agents in NetSuite is disabled. Enabling this feature requires coordinated actions from both account administrators and end users:

Steps for Account Administrators

Important:

The actions available to external AI agents are strictly limited to the functionality exposed by the installed MCP tools. Because external AI agents act on behalf of users, only agents representing users with MCP permissions can call MCP tool functions.

Steps for End Users

Mitigation Strategies

Prompt injection and hallucination are known LLM weaknesses and out of NetSuite control. The following strategies can help to reduce the risks of unintended actions, data corruption, and sensitive information disclosure:

Vendor and Tool Trustworthiness

Access Management

Scope Limitation

User Awareness

Technical Safeguard

Compliance Risks

As part of your use of MCP get familiar with potential limitations or restrictions establish in the regulations where you operate that may affect your use of existing tools or the use of new tools created by you. Certain geographies have restrictions and requirements for certain use cases like HR, financial, etc.

General Notices