AI appreciation day exposes the identity governance gap around AI

At a glance

What this is: This is an Imprivata commentary on AI adoption, security risk, and the need to govern AI through identity and access controls.

Why it matters: It matters because practitioners need to align AI use with IAM, NHI, and monitoring controls before AI-driven scale and attacker abuse outpace governance.

By the numbers:

• 72% of organizations integrated AI into at least one business function in 2024.
• Identity-based attacks made up 30% of all breaches in 2024.
• The average global cost of a data breach reached $4.88 million in 2024.

👉 Read Imprivata's perspective on AI appreciation day, identity risk, and governance

Context

AI adoption is now broad enough that the identity problem can no longer be treated as a narrow technical edge case. When AI is embedded in business functions, the key question becomes how access, visibility, and accountability are maintained across the systems and identities that support it.

For IAM, NHI, and security teams, the issue is not only adversary use of AI. It is also whether existing governance models can handle AI-assisted phishing, deeper automation, and more complex usage patterns without weakening oversight across human and non-human access.

Key questions

Q: How should security teams govern AI use in existing IAM programmes?

A: Treat AI as part of the identity estate, not a separate innovation layer. Assign ownership, define approved use cases, and connect AI activity to access reviews, privilege boundaries, and logging so governance can follow the actor that is actually using the system.

Q: Why do AI systems increase identity risk even when they improve security operations?

A: AI can help defenders, but it also helps attackers scale phishing, impersonation, and credential abuse. That means the same adoption that improves detection can also widen exposure unless authentication, monitoring, and access governance keep pace.

Q: What do security teams get wrong about AI and zero trust?

A: They often treat zero trust as a one-time architecture choice instead of continuous verification. AI-driven workflows increase the number and pace of requests, so trust must be reassessed throughout the session, not only at sign-in.

Q: Who should own AI governance when business teams are adopting it quickly?

A: Ownership should sit with the business function using AI, supported by IAM, security, and risk teams. That model keeps accountability tied to the actual use case instead of allowing governance to drift into a shared-no-one model.

Technical breakdown

Identity-based attacks and AI-enabled abuse

AI does not replace identity compromise. It amplifies it by making phishing, impersonation, and social engineering more convincing and faster to scale. That shifts the attacker’s preferred path toward stolen credentials, session abuse, and access that looks legitimate once inside. In practice, this means the control plane matters as much as the detection layer: authentication strength, conditional access, and privileged session monitoring all become more important when AI lowers the cost of deception.

Practical implication: strengthen phishing-resistant authentication and monitor for anomalous use of valid credentials rather than assuming perimeter controls will stop AI-assisted attacks.

AI governance depends on access visibility

AI systems create governance blind spots when organisations cannot clearly see who or what is using them, what data they touch, and which actions they are allowed to perform. That is an identity issue, not just an analytics issue. User behaviour analytics and access telemetry help establish whether AI-related activity aligns with expected business use or signals overreach. Without that visibility, organisations cannot reliably distinguish legitimate adoption from unsafe expansion of privilege.

Practical implication: tie AI usage telemetry to access reviews so governance teams can validate who is using AI, how it is being used, and whether entitlements match the work.

Zero trust for AI requires continuous identity proof

Zero trust only works if every request is continuously evaluated against context, identity, and risk. AI increases the number of automated and semi-automated interactions, which makes static trust decisions less reliable. In environments where AI interacts with sensitive systems, continuous monitoring and adaptive authorisation are needed to prevent one approved interaction from turning into broad, unchecked access. The architectural shift is from one-time approval to ongoing verification.

Practical implication: apply continuous verification and least-privilege enforcement to AI-connected workflows, especially where sensitive data or administrative actions are involved.

NHI Mgmt Group analysis

AI governance is now an identity governance problem, not a separate strategy track. Once AI is embedded in business functions, it inherits the same access, entitlement, and audit expectations as any other actor in the environment. The difference is scale and speed, not category. That means IAM, NHI, and lifecycle governance need to treat AI usage as part of the same control fabric, not as an adjacent innovation initiative. Practitioners should stop separating AI governance from identity governance.

The most important failure mode is visibility loss, not model sophistication. The article points to risky behaviour, missing context, and governance gaps, which is the real issue practitioners should track. If teams cannot see how AI is used, which identities enable it, and what data it touches, then the programme is already behind the operating model. The named concept here is AI access visibility debt: a growing gap between AI adoption and the controls needed to observe, certify, and constrain it. Practitioners should treat that debt as a governance backlog, not an analytics problem.

Identity-based attacks become more efficient when AI lowers the cost of deception. Phishing, impersonation, and deepfake-enabled social engineering all exploit the same trust assumptions that IAM depends on. When attackers can generate more convincing lures at scale, the control question shifts from awareness to assurance. That is why the focus must move toward stronger authentication, tighter privilege boundaries, and better anomaly detection across human and non-human identities. Practitioners should assume identity abuse will remain the shortest path to AI-era compromise.

Real-time access telemetry is becoming the bridge between adoption and accountability. The article’s emphasis on access management data is directionally right because AI programmes fail when usage cannot be mapped back to business intent and security policy. Behavioural analytics can show where AI is helping, where it is drifting, and where entitlements exceed need. That makes identity telemetry a programme control, not just an audit artifact. Practitioners should use it to connect AI rollout, risk review, and access certification.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• That pattern reinforces why teams should read Ultimate Guide to NHIs , Key Challenges and Risks alongside this analysis to connect AI adoption with access sprawl and governance gaps.

What this signals

AI programmes are now colliding with the same identity failure patterns that have long driven machine-account compromise. The practical response is to treat every AI-connected workflow as an access path that needs ownership, telemetry, and review, not as an abstract capability that sits outside identity governance.

AI access visibility debt: when organisations cannot map AI usage to identity, entitlement, and business intent, governance becomes reactive. Teams should prepare for more frequent access certifications, stronger verification on sensitive workflows, and tighter correlation between behavioural data and approved AI use.

As adoption grows, the programme-level issue is whether identity teams can distinguish legitimate automation from risky expansion before the pattern becomes normalised. That is where identity analytics, lifecycle discipline, and zero-trust enforcement become operational controls rather than policy statements.

For practitioners

• Map AI usage to identity owners Inventory where AI is used in business functions, then tie each use case to a human owner, a service account, or a workload identity so accountability is explicit.
• Harden authentication against AI-assisted impersonation Prioritise phishing-resistant authentication and step-up checks for access paths that protect sensitive systems, privileged functions, or high-value data.
• Use access telemetry to govern AI activity Correlate user behaviour and access analytics with approved AI use cases so review teams can detect overreach, misuse, or undocumented expansion of access.
• Apply zero trust to AI-connected workflows Reassess trust decisions for systems touched by AI so that each request, session, and privilege boundary is evaluated continuously rather than assumed safe after initial login.

Key takeaways

• AI adoption is widening the identity attack surface, which makes access governance and authentication quality central rather than optional.
• Visibility into who or what is using AI now determines whether organisations can separate legitimate use from privilege drift and abuse.
• Security teams should align AI rollout with identity ownership, continuous verification, and access telemetry before adoption outpaces control.

Key terms

• AI access visibility debt: The gap that forms when organisations adopt AI faster than they can observe, attribute, and govern its access patterns. It shows up as unclear ownership, weak entitlement mapping, and poor evidence for whether AI use matches approved business intent.
• Identity-based attack: An attack that uses stolen, abused, or impersonated credentials as the entry point rather than exploiting software first. In AI-heavy environments, these attacks gain leverage because convincing phishing, session abuse, and account takeover can move quickly through trusted pathways.
• Continuous verification: An approach to trust where access is re-evaluated throughout a session instead of being granted once and assumed safe. For AI-connected workflows, continuous verification matters because the volume, timing, and sensitivity of requests can change after initial approval.
• User behaviour analytics: Analytics that compare real access activity with expected patterns to identify misuse, anomalies, or privilege drift. In AI programmes, they help distinguish ordinary adoption from risky expansion, especially when multiple identities and automated workflows are involved.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by Imprivata: On AI Appreciation Day, Cybersecurity Experts Push for Responsible Innovation. Read the original.