AI adoption as mandate: what Dialpad’s model means for IAM

At a glance

What this is: This interview argues that AI adoption is moving from optional tooling to operational policy, with Dialpad using AI across engineering, support, and internal workflows.

Why it matters: It matters because IAM, NHI, and workforce programmes now have to govern AI-assisted work, not just human users or static machine credentials.

By the numbers:

• 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

👉 Read WorkOS's interview with Dialpad CTO Brian Peterson on AI adoption

Context

AI adoption is no longer just a productivity conversation. In this interview, the underlying issue is governance: when engineering, support, and operations are told to use AI as part of normal work, identity and access controls have to account for human judgement, machine assistance, and automated output in the same workflow.

For IAM and NHI teams, the important shift is that AI is being embedded into everyday operating practice rather than isolated in a pilot. That changes how entitlement decisions, review processes, and accountability models should be designed, especially when the organisation expects AI to produce work that humans then verify rather than author from scratch.

Key questions

Q: How should organisations govern AI-assisted work in engineering and operations?

A: Treat AI-assisted work as an identity and accountability problem, not just a productivity upgrade. Define which actions the AI may influence, which outputs require human verification, and which systems or data sources sit behind the workflow. Then align review, logging, and approval rules to the actual runtime path rather than the job title alone.

Q: Why do AI-enabled workflows complicate least privilege?

A: Least privilege assumes the needed access can be scoped before execution begins. AI-enabled workflows often expand what happens at runtime, because the system can draft, recommend, or shape actions in ways that were not fully predictable at provisioning time. That makes static role design less reliable unless teams tightly bound the workflow and preserve traceability.

Q: What breaks when humans verify AI output but do not own the workflow?

A: Responsibility becomes ambiguous. A human may approve a result that was substantially shaped by a machine, while the controls still record the human as the primary actor. That gap weakens auditability, makes recertification less meaningful, and can hide where the real decision authority sat inside the workflow.

Q: How do security teams assess AI adoption without creating compliance theatre?

A: Measure whether AI actually changes operating decisions, not just whether people say they use it. Look for evidence of traceable outputs, clear accountability, and bounded permissions. If adoption metrics rise but ownership, approval, and logging remain vague, the programme is creating activity without governance.

Technical breakdown

AI-assisted engineering and the new access boundary

AI-assisted engineering changes the access boundary because the person writing code is no longer the only actor shaping runtime outcomes. Prompting, code generation, repository access, and deployment rights can combine into a wider effective privilege set than traditional developer roles assume. The technical issue is not just automation. It is that the tool can influence what gets created, reviewed, and shipped while the human remains the nominal owner. That makes provenance, review traceability, and repository entitlements part of the same control plane.

Practical implication: map AI coding workflows to the same entitlement review process you use for high-risk production access.

Human verification does not remove machine influence

Human-in-the-loop review is often treated as a safe boundary, but it only works if the reviewer can meaningfully challenge the machine output. When AI drafts performance reviews, support responses, or policy summaries, the human is validating a machine-generated starting point, not making a clean independent decision. That creates a subtle control problem: the output may appear human-owned while the synthesis logic remains opaque. The governance question becomes whether review is substantive or merely procedural.

Practical implication: require traceable human accountability for AI-assisted decisions, especially where the output affects people, customers, or privilege.

Why non-deterministic AI changes identity governance

Non-deterministic AI complicates identity governance because the same request can produce different outputs, different actions, or different downstream workflows. That means privilege analysis cannot rely only on stable intent or fixed execution paths. In practical terms, the identity model has to cover not just who can act, but how much runtime variation the system is allowed to introduce. This is where AI-assisted workflows start to overlap with NHI governance, even when the system is not fully autonomous.

Practical implication: classify AI-enabled workflows by runtime variability and govern them as dynamic access paths, not static tasks.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI mandate creates an identity governance problem before it creates a productivity gain. When engineering teams are required to use AI, the control question shifts from adoption to authority. The organisation is no longer managing isolated tool usage, but a new pattern where human identity, machine assistance, and workflow output are intertwined. That makes access review, approval, and accountability harder to map to a single actor. The practitioner takeaway is that AI policy is now an identity design problem, not just a training problem.

Non-deterministic AI breaks the assumption that access intent is stable at provisioning time. Least privilege was designed for roles whose activities can be described before execution begins. That assumption fails when AI changes the shape of the work at runtime, because the effective action set can expand inside the session. The implication is that identity programmes must rethink how they define scope, not merely add more review checkpoints.

AI-assisted work creates a governance gap between authorship and responsibility. A human can remain accountable while the machine contributes the substance, but traditional IAM and IGA processes were built around clearer lines of action ownership. This is where the named concept of runtime authorship drift matters: the person who approves, the person who reviews, and the system that generates the outcome are no longer the same control point. Practitioners should treat that drift as a first-class governance risk.

Organisations are already moving toward agentic operating models faster than their controls are adapting. That is the broader market signal behind this interview. The category is not whether AI helps people work faster. It is whether identity governance can remain coherent when a growing share of work is machine-shaped, human-verified, and operationally mandatory. The practitioner conclusion is simple: the programme must be redesigned around dynamic work, not static job titles.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which shows the control model is already under pressure.
• That same survey found 53% of security leaders expect AI to run major portions of infrastructure autonomously within three years, reinforcing why identity governance has to move now.

What this signals

Runtime authorship drift: when AI generates the substance of work but humans keep the formal accountability, conventional identity controls lose a clean actor-to-action mapping. That makes future recertification and audit design depend on traceability, not just approval status.

With 69% of security leaders saying identity management must fundamentally shift for agentic AI, the governance problem is already structural. Teams should expect their access models to absorb machine-shaped decision paths, not simply human workflows with faster tooling.

The practical signal for IAM leaders is that AI adoption will increasingly show up in entitlement reviews, logging expectations, and decision ownership disputes. Programmes that still assume stable authorship will struggle once AI becomes a normal part of business execution.

For practitioners

• Map AI-assisted workflows to entitlement boundaries Inventory where AI produces code, summaries, recommendations, or customer responses, then tie each workflow to the underlying repository, data, and action permissions that make it possible.
• Separate machine synthesis from human accountability Require clear ownership for every AI-assisted decision that affects customers, employees, or production systems, and document where the human is verifying versus independently deciding.
• Review privilege assumptions for non-deterministic workflows Reassess roles that now include AI drafting, classification, or orchestration so the permitted action set reflects runtime variation rather than the original job description.
• Add traceability for AI-generated outputs Preserve prompts, sources, and approval context for AI-assisted work so access reviews and incident response can reconstruct how an outcome was produced.

Key takeaways

• AI adoption becomes an identity governance issue when organisations require teams to use machine-generated outputs inside normal business workflows.
• The main risk is not simple automation, but blurred authorship and unstable access scope inside AI-assisted decision paths.
• Teams that cannot trace who influenced a result, who verified it, and which permissions made it possible will struggle to govern AI at scale.

Key terms

• AI-assisted workflow: A workflow in which a person uses AI to draft, classify, summarise, or recommend actions as part of normal work. The human may remain accountable, but the machine changes how decisions are formed and how much of the output is generated before review.
• Runtime authorship drift: The condition where the person formally responsible for a task is no longer the sole or primary source of its content at execution time. In practice, AI shapes the outcome while identity controls still record human ownership, creating audit and accountability gaps.
• Non-deterministic AI: An AI system that can produce different outputs or action paths from similar inputs. For identity governance, this matters because access scope, review evidence, and control testing cannot assume a fixed execution pattern the way they often can with scripted automation.
• Human-in-the-loop verification: A control pattern where a person reviews or approves AI output before it is used. It only reduces risk when the reviewer can meaningfully challenge the result, rather than simply rubber-stamp a machine-generated draft or recommendation.

Deepen your knowledge

AI-assisted engineering and identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your teams are already using AI in day-to-day operations, it is worth grounding the programme in a shared control model.

This post draws on content published by WorkOS: From Google Voice to AI-first communication: Dialpad's Brian Peterson on leading AI adoption. Read the original.