AI cyber executive order raises the bar for AI and identity governance

At a glance

What this is: This is Lasso Security’s take on the new US AI and Cyber Executive Order, highlighting supply chain security, AI-generated code, and secure AI system design as governance priorities.

Why it matters: It matters because AI governance now intersects with identity, secrets, and privileged access decisions that IAM, NHI, and security architecture teams must align across programmes.

👉 Read Lasso Security's analysis of the new AI and Cyber Executive Order

Context

The core issue is not simply new AI policy, but the assumption that existing security programmes can absorb AI-driven development without changing how identity, code, and vulnerability control are governed. In practice, AI-generated code and AI-enabled tooling expand the number of places where secrets, permissions, and trust relationships need to be reviewed.

For IAM practitioners, the question is whether current controls can still bound risk when AI is participating in code creation, defensive automation, and security analysis. The executive order points to a governance shift, not just a compliance update, because the identity layer now has to account for AI systems that influence how software is produced and how vulnerabilities are handled.

Key questions

Q: How should security teams govern AI-generated code in regulated environments?

A: Treat AI-generated code as a governance input, not a trusted output. Security teams should require review of credential handling, dependency selection, and control boundaries in any AI-assisted workflow, then tie approval to the identities that can deploy or modify the code. In regulated environments, that review needs clear ownership and evidence.

Q: Why do AI tools complicate software supply chain security?

A: AI tools complicate supply chain security because they add new dependencies, more generated artefacts, and additional identities that can move code or data. That expands the attack surface beyond packages alone. Teams need to govern the build and deployment identities, not just the software components they consume.

Q: What do organisations get wrong about AI governance and identity controls?

A: They often separate AI governance from identity governance, even though AI systems can shape access, code, and security decisions. That split leaves approval paths, accountability, and secret handling under-specified. A workable programme treats AI participation as part of the identity control problem.

Q: How can teams tell whether AI security controls are actually working?

A: Look for evidence that AI-assisted workflows still preserve named owners, documented approval boundaries, and verifiable review of secrets and code changes. If you cannot trace who approved what, or where AI influence ended, the control is not working. Effective governance leaves an audit trail that matches the real decision path.

Technical breakdown

AI-generated code and the secrets exposure problem

AI-generated code changes the secret-exposure profile because it can reproduce insecure patterns quickly and at scale. When a development workflow relies on generated code, the security concern is not only whether the code is functionally correct, but whether it inherits unsafe credential handling, weak boundary checks, or hardcoded secrets from the surrounding context. That creates a governance problem for application security and NHI management together, because secret detection alone does not stop insecure patterns from reappearing in new code paths. Practical implication: review AI-assisted development for credential handling, not just code quality.

Practical implication: Review AI-assisted development for credential handling, not just code quality.

Software supply chain security in AI pipelines

The executive order’s supply chain emphasis reflects a broader reality: AI systems introduce more third-party dependencies, more generated artefacts, and more opportunities for hidden trust. In AI-enabled pipelines, the security boundary often stretches across model providers, orchestration layers, plugins, package sources, and runtime identities. That means software supply chain governance must include the identities used by build systems, agents, and deployment jobs, not only the packages they consume. Practical implication: extend supply chain controls to the identities and secrets that move code from prompt to production.

Practical implication: Extend supply chain controls to the identities and secrets that move code from prompt to production.

Human-AI interaction as an identity governance issue

Human-AI interaction is often discussed as a usability or safety issue, but it is also an identity governance issue. When people rely on AI tools to make decisions, generate code, or trigger security actions, the effective decision chain becomes longer and less observable. That weakens traditional assumptions about accountability, approval, and separation of duties. The result is a control environment where humans may still own the process on paper, while AI systems materially shape the outcome. Practical implication: define where human approval ends and AI influence begins in operational workflows.

Practical implication: Define where human approval ends and AI influence begins in operational workflows.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI regulation is now an identity governance problem, not just a policy problem. The executive order’s focus on AI cyber defence, secure AI design, and AI software vulnerabilities shows that governance has moved upstream into the identity layer. Once AI systems are involved in code generation or defensive automation, access, approval, and accountability can no longer be treated as purely human-centred controls. Practitioners should read this as a mandate to reassess which identities are allowed to influence software and security decisions.

AI-generated code creates a repeatable path for unsafe security patterns to re-enter the estate. The issue is not only malware or misuse, but the ability of generated output to scale insecure defaults across many repositories and teams. That places secrets management, code review, and secure development governance in the same control conversation. The practical conclusion is that secure AI adoption depends on identity-aware software governance, not just scanning after the fact.

Secure AI systems require clearer accountability boundaries than conventional automation. When advanced AI models participate in cyber defence, the decision chain may span humans, platforms, and machine actors in ways that are not visible in existing approval models. This does not mean every AI tool is autonomous, but it does mean responsibility can diffuse quickly when privileges are delegated through multiple layers. Practitioners should treat accountability mapping as a core design requirement, not an audit exercise after deployment.

Named concept: AI control-plane drift. As AI tools become embedded in development and defence workflows, the operational control plane starts to move away from the teams that formally own it. The article points to that shift through its emphasis on human-AI interaction, secure AI systems, and software vulnerability management. The practitioner conclusion is that governance has to follow the control plane wherever AI actually makes or shapes decisions.

From our research:

• 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• That is why practitioners should also track OWASP NHI Top 10 guidance as AI workflows expand into production identity and access paths.

What this signals

AI control-plane drift: as AI moves into code generation and defensive operations, governance has to follow the identities that can influence those actions. The practical risk is not only unsafe output, but a widening gap between formal ownership and operational control.

The most durable response is to treat AI adoption as an identity programme issue from the start, with explicit approval boundaries, secret handling review, and traceable accountability. Without that, teams will keep adding AI on top of identity controls that were never designed to absorb it.

For practitioners

• Map AI-influenced decision paths Document where AI systems influence code generation, vulnerability triage, or defensive actions, and identify which human approvals still exist versus which are only assumed. Tie those paths to named owners and review points, then look for places where responsibility is diffuse or undocumented.
• Review secrets handling in AI-assisted development Inspect repositories and pipelines for hardcoded secrets, insecure examples, and generated code paths that bypass normal review. Use the same control expectations for AI-assisted commits that you apply to high-risk developer workflows, and make sure rotation and revocation are tied to the identities that can reach those secrets.
• Extend supply chain controls to machine identities Include build agents, deployment jobs, and orchestration tooling in your supply chain model so that identity governance covers the actors moving code into production. If an AI-enabled workflow can create or modify artefacts, it also needs explicit permission boundaries and revocation paths.
• Separate human approval from AI influence Write down where humans retain final approval and where AI can only recommend, then enforce that boundary in policy and technical workflow design. This is especially important in regulated environments where accountability cannot be inferred from tool usage alone.

Key takeaways

• The executive order matters because it turns AI adoption into an identity governance issue, not just a compliance update.
• AI-generated code and AI-enabled pipelines widen the path for unsafe credentials, insecure patterns, and diffuse accountability.
• Practitioners should map AI influence, tighten approval boundaries, and extend supply chain controls to the identities behind the workflow.

Key terms

• AI control-plane drift: The gradual shift of operational decision-making away from the teams that formally own a system and toward AI-enabled tools, workflows, or intermediaries. In practice, the control plane still exists, but the real influence over code, access, or actions moves somewhere else.
• AI-generated code: Software produced wholly or partly by an AI system in response to prompts, context, or surrounding repository content. The security concern is not the generation itself, but whether the output introduces unsafe patterns, credential exposure, or hidden dependencies into the delivery chain.
• Software supply chain identity: The set of non-human identities that move software from creation to production, including build agents, deployment jobs, and orchestration accounts. This identity layer matters because compromise, misuse, or over-privilege in the chain can affect every artefact it touches.
• Accountability boundary: The point at which responsibility for a security action moves from recommendation to approval, or from automation to human ownership. In AI-enabled workflows, this boundary must be explicit because otherwise teams assume someone is responsible without proving who actually was.

Deepen your knowledge

AI governance and identity boundaries are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are formalising controls for AI-assisted development or defensive automation, it is a practical place to start.

This post draws on content published by Lasso Security: Lasso's commitment to a secure AI-driven future and the new Cyber Executive Order. Read the original.