TL;DR: AI is widening the attack surface through leaked credentials, misconfigured services, and AI-assisted abuse, while also improving detection speed and analyst effectiveness, according to SentinelOne’s cloud security reports. The practical question is no longer whether AI helps or harms, but which identity and access controls can keep pace with both.
At a glance
What this is: SentinelOne’s cloud security research argues that AI is simultaneously increasing attacker options and improving defender workflows, with identity and access exposure remaining a central risk theme.
Why it matters: For IAM, PAM, and NHI programmes, the key issue is that AI services inherit the same entitlement and secret-management failures as other cloud assets, but can amplify their impact much faster.
By the numbers:
- 53%, e than half of organisations, 53%, find that the majority of their alerts are false positives.
- Only 1.8% of managers and leaders surveyed said they do not expect to experience benefits from AI in cloud security solutions.
- Researchers found 6.4% secret leakage in repositories enabled with Copilot versus 4.6% across other repositories.
👉 Read SentinelOne’s analysis of AI risk and opportunity in cloud security
Context
AI is now part of the cloud control plane, which means its risks are not limited to model quality or productivity gains. Once AI services can query data, trigger actions, and inherit permissions, the security question becomes one of entitlement scope, secret exposure, and whether governance can keep pace with machine-speed decision-making.
SentinelOne’s reports frame that tension clearly: the same AI mechanisms that improve detection and analysis can also expand credential theft, lateral movement, and misconfiguration blast radius. That makes the topic relevant to cloud security leaders and to identity teams responsible for access boundaries, service accounts, and non-human identities.
The intersection matters because AI services rarely fail in isolation. They fail through the same familiar control gaps that affect NHI and privileged access programmes, especially standing credentials, over-permissioned roles, and weak lifecycle governance.
Key questions
Q: What breaks when AI agents are managed like ordinary machine identities?
A: What breaks is the assumption that access scope can be fully understood from provisioning data and quarterly review. Ordinary machine identities are repeatable; agents are not. If teams only review entitlements, they miss context shifts, delegated actions, and credential creation inside the session.
Q: Why do AI agents create more cloud access risk than human users?
A: AI agents can chain API calls quickly, interact with multiple services in one session, and operate without the familiar human signals that security tools expect. That makes over-permissioned access harder to spot and faster to abuse. In practice, the risk comes from effective privilege, not just who initiated the action.
Q: How can security teams tell whether AI lifecycle controls are working?
A: They should look for evidence that access requests, policy enforcement, and usage visibility are centrally recorded and current. If those signals are fragmented across platforms, the programme may be documenting governance rather than enforcing it. Continuous traceability is the practical test.
Q: Who should own AI agent governance when identity and access are shared across teams?
A: AI agent governance should sit with identity, security, and platform owners together, because no single team sees the full risk surface. IAM owns the control model, security owns containment and monitoring, and platform teams own the runtime integration. Shared ownership matters because agent risk spans identity, policy, and downstream execution.
Technical breakdown
Why AI services become identity-rich attack targets
Cloud AI services behave like any other workload from an access-control perspective, but they often sit closer to sensitive data and automation paths. A notebook, model endpoint, or orchestration job may be launched with a default role that can read storage, query databases, or call adjacent APIs. That makes the identity attached to the service as important as the model itself. If the service can enumerate secrets, modify data, or trigger downstream actions, compromise of the AI workload becomes a privilege escalation path rather than a simple application issue.
Practical implication: treat every AI service account, role, and token as a high-value workload identity with explicit scope and review.
How leaked credentials and prompt-to-code workflows widen exposure
LLM-assisted development can increase secret exposure because the model may generate code, configuration, or package references that accidentally surface credentials or create dependencies on the wrong artefacts. In the article’s examples, leaked keys and tokens appear in repositories and domains at meaningful rates, which shows that AI-assisted speed can outpace secure review. The security issue is not that the model knows secrets, but that the development workflow makes it easier for secrets to be copied, committed, or embedded before human review catches them.
Practical implication: combine secret scanning, code review, and policy gates around AI-assisted development paths, not just final deployment.
AI-SPM and CIEM address adjacent but different control gaps
AI security posture management focuses on discovering AI assets, misconfigurations, and attack paths around AI workloads, while CIEM focuses on who can do what in the cloud environment. Those are complementary lenses. If an AI workload is over-permissioned, the posture issue and the entitlement issue reinforce each other. The article’s core message is that AI-specific visibility is necessary, but it cannot replace entitlement governance, especially where AI services are allowed to reach data, secrets, and privileged APIs.
Practical implication: pair AI asset discovery with entitlement review so AI-specific misconfigurations and excessive access are assessed together.
Threat narrative
Attacker objective: The attacker’s objective is to turn an AI workload’s trusted access into a faster path to cloud compromise, secret theft, or data poisoning.
- Entry begins when attackers exploit leaked credentials, misconfigured cloud AI services, or malicious packages that enter AI-assisted development workflows.
- Escalation follows when the compromised AI workload inherits default roles or over-permissioned access that allow secret retrieval, data manipulation, or cross-domain movement.
- Impact occurs when attackers use that access to poison data, exfiltrate secrets, or abuse the cloud environment through the AI service identity.
NHI Mgmt Group analysis
AI has become an identity problem before it becomes an AI problem. The article shows that the highest-risk paths are not abstract model failures but access paths, secrets, and inherited permissions. Once an AI service can query data or trigger action through a cloud role, the governance question becomes who authorised that reach and how it is scoped. Practitioners should treat AI services as privileged workloads, not just smart applications.
AI security posture and entitlement governance now need to converge. AI-specific discovery tools can identify assets and misconfigurations, but they do not solve over-permissioning on their own. That makes AI-SPM and CIEM adjacent controls, not interchangeable ones. The article reinforces a familiar governance lesson: visibility without entitlement discipline does not reduce blast radius. Practitioners should align AI posture review with access review cycles.
Cloud AI risk is reviving old attack patterns in a new trust model. Dependency confusion, typosquatting, and secret leakage are not new, but AI-assisted development and MCP-style tool chaining make them easier to operationalise. The named concept here is context-churn exposure: as AI systems continuously refresh tools, prompts, and dependencies, the trust boundary keeps moving. Practitioners should assume that static approval models will miss part of the risk.
Defender confidence in AI does not remove the need for control design. The article argues that AI can improve detection, scoring, and incident response, but that benefit only matters if the underlying identities and permissions are already controlled. In other words, better analytics do not compensate for over-privileged workloads. Practitioners should measure AI’s value by whether it reduces exposure, not only by whether it speeds response.
The market is signalling a shift toward dual-control cloud security. Organisations now need one control plane for AI workload posture and another for identity and entitlement governance. That points to a broader operating model where cloud, AI, and identity teams share responsibility for the same attack paths. Practitioners should expect more consolidation around integrated visibility, but keep control ownership explicit.
What this signals
Context-churn exposure: AI-assisted development and tool chaining change the trust surface continuously, which means static allowlists and one-time approvals will miss part of the risk. Organisations need recurring access and dependency review for AI workloads, not just pre-release checks.
The governance signal is clear. AI security will increasingly be judged by whether it reduces excessive cloud access, secrets exposure, and misconfiguration blast radius. For teams mapping this to identity practice, the right reference point is workload identity and lifecycle control, not model enthusiasm.
Cloud and identity programmes should expect AI to increase demand for joint control ownership. That means tying posture findings to entitlement data, and aligning remediation with established identity governance patterns rather than treating AI as a separate exception.
For practitioners
- Implement entitlement reviews for AI workloads Map every AI service, notebook, and agent to the cloud roles, database permissions, and secret scopes it can reach. Remove broad default roles, especially where an AI workload can read metadata, delete data, or call adjacent services.
- Scan AI-assisted development paths for secrets Add secret detection to repositories, prompt-to-code workflows, and deployment pipelines that use LLM assistance. Prioritise API keys, tokens, and certificates embedded in generated code or copied configuration.
- Separate AI posture review from entitlement review Use AI-SPM to find AI assets and misconfigurations, then validate those findings against CIEM or equivalent entitlement tooling. The goal is to see both the exposed AI surface and the access behind it.
- Restrict tool and package trust in AI build flows Require allowlisted package sources, signed artefacts where possible, and human approval for new tool names introduced through AI coding or MCP-style tool chains. This reduces the chance that hallucinated or spoofed dependencies are trusted automatically.
- Measure whether AI reduces blast radius Track whether AI actually shortens incident response, lowers false positives, and reduces over-privileged access. If AI only accelerates analysis while entitlement scope stays unchanged, the organisation has improved speed without improving security.
Key takeaways
- AI is expanding cloud attack surface because it inherits access, secrets, and automation paths, not because models are inherently insecure.
- The strongest evidence in the article is that over-privilege, secret leakage, and misconfiguration remain the dominant failure modes even as AI changes the tooling.
- Practitioners should pair AI posture discovery with entitlement governance so AI workloads are constrained before they can amplify cloud risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article repeatedly centres on credential exposure and workload access scope. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article discusses leaked credentials, cross-domain movement, and data poisoning. |
| NIST CSF 2.0 | PR.AC-4 | The core issue is access scope for AI services and related identities. |
| NIST SP 800-53 Rev 5 | IA-5 | Secret leakage and credential management are central to the article’s cloud risk examples. |
| NIST AI RMF | MANAGE | The article’s main AI theme is operational risk management for AI-enabled systems. |
Map AI workload abuse paths to these tactics and prioritise controls that block credential use and movement.
Key terms
- AI-SPM: AI Security Posture Management extends security visibility into AI models, prompts, outputs, and supporting workflows. It gives teams a way to identify risky AI usage, check policy alignment, and monitor how AI systems interact with data and identity controls over time.
- Cloud Infrastructure Entitlement Management: Cloud Infrastructure Entitlement Management focuses on who has access to what in cloud systems, especially excessive or unused permissions. It helps reveal overprivileged identities, but it does not automatically remove them. In practice, it is most useful when tied to policy enforcement and access expiry mechanisms.
- MCP: Model Context Protocol, an open way for AI agents to connect to tools and data sources. It improves interoperability, but it also introduces a shared integration layer that must be governed carefully because the protocol can widen access across many systems at once.
- Slopsquatting: Slopsquatting is a supply-chain attack that exploits hallucinated package names suggested by AI systems. An attacker registers the invented name in a public registry and waits for a developer or build pipeline to install it. The risk sits at the intersection of model error, dependency trust, and software delivery speed.
What's in the full article
SentinelOne’s full blog covers the operational detail this post intentionally leaves for the source:
- Examples of AI-native cloud attack paths, including default-role abuse in cloud AI services and cross-domain secret enumeration.
- Operational comparisons between AI-SPM and CIEM for teams deciding how to split discovery from entitlement enforcement.
- Survey-backed detail on how cloud security teams rank AI, false-positive reduction, and incident-response acceleration.
- The specific examples behind credential leakage, package trust failures, and AI-assisted infostealer behaviour.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners responsible for access boundaries. It gives identity and security teams a shared baseline for governing non-human access in cloud and AI-enabled environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org