AI for cisos only helps when identity controls stay disciplined

At a glance

What this is: This is an RSA Security analysis of how CISOs should use AI in security operations, with Gartner guidance stressing outcome-based selection and disciplined identity controls.

Why it matters: It matters because AI-driven security gains do not reduce the need for phishing-resistant authentication, and rushed automation can weaken the very identity controls that protect NHIs and users.

By the numbers:

• 91% of organizations plan to implement AI in their tech stack this year.
• The 2026 RSA ID IQ Report is based on a global survey of more than 2,100 security, IT, and compliance leaders.

👉 Read RSA Security's analysis of AI use for CISOs and identity controls

Context

AI only helps if security leaders can tie it to specific outcomes, because automation without governance simply shifts risk into a faster delivery path. For IAM and NHI teams, the question is not whether to adopt AI, but whether the identity controls around human and non-human access still hold under machine speed and machine scale.

The article also lands in a familiar pattern for security programs: technology pressure arrives faster than control maturity. That is typical in AI adoption, and the governance gap becomes sharper when AI is layered onto authentication, monitoring, and response without clear measurement, role boundaries, or phishing-resistant identity controls.

Key questions

Q: How should security teams implement AI in identity-heavy environments?

A: Start with a narrow use case tied to a measurable security outcome, such as faster alert triage or fewer false positives. Keep the workflow bounded by policy, require human approval for identity changes, and review whether the AI improves the control it was meant to support. If the result cannot be measured, it should not be scaled.

Q: Why do AI-driven phishing attacks make passwordless authentication more important?

A: AI can generate more convincing phishing messages, which increases the chance that users will hand over credentials. Passwordless authentication reduces that attack surface by removing passwords as stealable secrets. When combined with phishing-resistant MFA, it makes it much harder for a lure to turn into reusable access, especially for high-risk users and applications.

Q: What breaks when AI tools can trigger identity actions without policy guardrails?

A: Automated recommendations can turn into unintended access changes, revocations, or escalations before a human can validate them. That creates speed without accountability, and it makes incident review much harder. The fix is to separate recommendation from execution, enforce policy checks, and record every identity action the automation can initiate.

Q: When should organisations prioritize passwordless authentication over broader AI automation?

A: When credential compromise is a meaningful part of the threat model, passwordless and phishing-resistant MFA should come first. AI automation can improve operations, but it does not compensate for weak authentication. If the entry point is still a password, attackers only need one successful lure to undo many downstream controls.

Technical breakdown

Outcome-based AI selection in security operations

The article’s core technical point is that AI should be selected against explicit cybersecurity improvement objectives, not against vague automation goals. That means mapping each AI use case to a measurable maturity gap, such as alert triage speed, analyst workload reduction, or detection fidelity. In practice, this is a control design question, not a procurement question. If the use case cannot be measured, it cannot be governed. For NHI and IAM teams, that matters because AI often touches identity telemetry, access decisions, and exception handling where weak measurement creates blind spots.

Practical implication: Define success metrics before deployment, then require them in change approval and post-deployment review.

Passwordless authentication and phishing-resistant MFA

Passwordless authentication removes the shared secret that attackers most often try to steal, while phishing-resistant MFA makes credential theft less reusable even when users are tricked. The technical value is strongest when authentication is enterprise-wide and consistent across all environments, including remote access and privileged workflows. AI does not change that logic. In fact, AI-generated phishing raises the quality of lures, which increases the value of removing password-based entry points altogether. For non-human identities, the parallel lesson is to reduce reliance on static secrets wherever possible.

Practical implication: Prioritize phishing-resistant MFA and passwordless coverage for privileged and high-risk access paths first.

AI-driven security automation still needs identity guardrails

AI can accelerate detection and response, but it also compresses decision cycles, which makes governance failures harder to spot. If AI is allowed to auto-act on identity events without clear boundaries, a bad recommendation can become an access change, revocation, or escalation before a human can intervene. The architectural problem is not AI itself. It is the lack of policy, approval, and traceability around what the AI is allowed to decide versus what it only recommends. That distinction is essential for both human IAM and NHI control planes.

Practical implication: Separate AI recommendation from execution, and log every identity action that an automated workflow can trigger.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI security value collapses when programs confuse speed with control. The article reflects a wider market problem: teams are often asked to automate before they have established the metrics that prove the automation is working. In identity-heavy environments, that usually means faster decisions with no clearer accountability. The right standard is not more AI, but more measurable control over where AI is permitted to act.

Passwordless is not a legacy hygiene item. It is an AI-era control. The piece correctly keeps credential compromise in focus, because AI makes phishing more convincing and more scalable. That raises the value of removing passwords wherever possible and using phishing-resistant MFA for the remaining paths. For practitioners, this is less about a new initiative than about finishing the authentication modernization work that many programs still postpone.

Ephemeral automation creates an identity governance gap when execution authority is not tightly bounded. AI systems can recommend, route, and even trigger actions at machine speed, but that only works safely when the identity behind the workflow has explicit limits. Otherwise, the program ends up with fast-but-opaque access decisions. Practitioners should treat every automated identity action as a policy object, not just an efficiency feature.

Named concept: identity control discipline. This article makes clear that AI adoption must be anchored to direct security outcomes, structured assessment, and clear operating rules. That is the practical meaning of identity control discipline: every AI-enabled security workflow should have a defined purpose, a measurable result, and a human owner. Without that, automation becomes another source of drift instead of a control improvement.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader view of control gaps, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility, sprawl, and over-privilege patterns that AI can amplify.

What this signals

AI adoption will keep accelerating, but the programme risk is that teams automate identity operations faster than they can explain or audit them. The practical response is to separate recommendation from execution, then anchor each workflow to a measurable control objective and a named owner.

Identity control discipline: practitioners should treat AI-enabled security workflows as governed access paths, not productivity shortcuts. That means identity boundaries, approval logic, and auditability must be designed up front, especially where automation can touch privileged access or NHI secrets.

The near-term signal is that passwordless and phishing-resistant MFA will remain the most defensible authentication investments while AI changes the quality of attacker tradecraft. Programs that delay those controls in favor of broad automation will inherit more risk than they remove.

For practitioners

• Tie AI use cases to measurable security outcomes Approve AI only where the use case maps to a concrete maturity gap, such as triage time, false positives, or analyst overload. Require a baseline, target, and review cadence before production rollout.
• Expand phishing-resistant MFA across high-risk access paths Move privileged users, admins, and remote workers off password-based flows where possible, then extend coverage to remaining enterprise applications and federated access points.
• Separate AI recommendations from identity execution Allow AI to recommend actions, but keep access changes, revocations, and exception handling behind policy checks and approval boundaries. Log every execution step for later review.

Key takeaways

• AI improves security operations only when it is tied to measurable identity and detection outcomes.
• Phishing-resistant MFA and passwordless authentication remain central because AI makes credential theft more scalable and convincing.
• Automation that can change access must stay bounded by policy, approval, and auditability, or it becomes a governance liability.

Key terms

• Phishing-resistant MFA: An authentication method that remains effective even when users are tricked into revealing information on a fake site. It relies on cryptographic proof or device-bound trust instead of reusable secrets, which makes it much harder for attackers to reuse stolen credentials across systems.
• Passwordless authentication: A login approach that removes passwords from the authentication flow and replaces them with stronger factors such as device-based credentials or cryptographic assertions. In security programs, it is used to reduce the attack surface created by shared secrets and credential reuse.
• Identity control discipline: A governance approach that requires every identity-related automation or control change to have a clear purpose, measurable outcome, and accountable owner. It treats AI-assisted security workflows as controlled access paths, not as free-form efficiency features, so that speed does not outrun auditability.

Deepen your knowledge

AI-driven identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are adapting authentication and automation controls for similar risks, it is worth exploring.

This post draws on content published by RSA Security: Multi-Factor Authentication The Right Way for CISOs to Use AI, Defined by Gartner. Read the original.