AI tooling is compressing knowledge, time, and skill work

At a glance

What this is: This analysis argues that AI tooling is compressing knowledge, time, and skill work into smaller execution loops, with productivity gains balanced by hidden loss of depth and judgment.

Why it matters: IAM practitioners should care because any system that compresses work also compresses the governance checkpoints around access, review, and accountability across human, NHI, and autonomous programmes.

👉 Read WorkOS's analysis of AI tooling compression and workflow speed

Context

AI tooling is not just speeding up work. It is collapsing the distance between intent and outcome, which changes how organisations should think about access, review, and control across the identity stack. For IAM teams, that matters because faster execution can erase the artefacts and approval points that governance models depend on.

The article frames this as knowledge, time, and skill compression. That is a useful lens for identity programmes because the same compression logic appears whenever people, service accounts, or AI agents can do more in fewer steps, with less coordination, and with less visible intermediate evidence.

Key questions

Q: How should security teams govern AI-assisted workflows that compress approvals and handoffs?

A: Security teams should identify where AI tooling removes the artefacts that normal governance depends on, such as tickets, peer review, and explicit handoffs. Then they should replace those lost checkpoints with clearer logging, stronger approval thresholds for sensitive actions, and more deliberate review of who can execute the compressed workflow.

Q: Why does AI-driven compression create identity governance risk?

A: It creates risk because governance frameworks assume time, evidence, and accountability are visible long enough to review. When one person or system can complete work in a short session, the control environment loses intermediate artefacts, making it harder to certify access, trace intent, or separate acceptable speed from unsafe delegation.

Q: What do organisations get wrong about faster AI-powered delivery?

A: They often treat speed as proof that the control model is working. In reality, faster delivery can mean that approvals, expert checks, and exception handling have been compressed away. If the work touches sensitive systems, that missing structure can increase operational and security risk even when the output looks successful.

Q: Should teams use AI compression differently for humans, NHIs, and autonomous systems?

A: Yes. Human users still need training and review, NHIs need scoped access and traceable execution, and autonomous systems need tighter oversight because they can change actions at runtime. The common rule is the same: when compression removes governance artefacts, the control model must become more explicit, not less.

Technical breakdown

Knowledge compression in retrieval systems

Knowledge compression happens when a large corpus becomes queryable in a way that returns the most relevant material immediately. In practice, retrieval-augmented generation and semantic search reduce the distance between a question and an answer, but they do not change the underlying source material. The gain is speed and accessibility. The trade-off is that the system favors relevance over breadth, which can narrow discovery and hide adjacent context that a human researcher might have found while browsing more broadly.

Practical implication: teams should treat fast retrieval as an access layer, not as a substitute for source review, provenance checks, or expert validation.

Time compression across AI-assisted workflows

Time compression occurs when AI tools collapse multi-step workflows into a single continuous session. Instead of moving through briefs, handoffs, ticketing, QA, and deployment over several sprints, one operator can often generate, test, and ship a usable result far faster. The mechanism is not magic. It is the reduction of coordination cost and the removal of intermediate artefacts that normally slow delivery. That makes execution cheaper, but it also reduces the evidence trail that governance teams rely on to understand who approved what and when.

Practical implication: identity controls should assume fewer handoffs and less documentary evidence, then compensate with stronger change logging and approval traceability.

Skill compression and the widening execution floor

Skill compression is the shrinking gap between knowing what needs to happen and being able to execute it at a professional level. AI assistance lets non-specialists produce credible output across design, engineering, infrastructure, and security tasks, provided they can judge quality and catch errors. That does not eliminate expertise. It shifts the bottleneck from production to evaluation. The risk is that organisations confuse usable output with complete competence, especially where edge cases, security boundaries, and accessibility issues require specialist judgment.

Practical implication: governance should distinguish between task completion and expert assurance, especially where access decisions affect production systems or sensitive data.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compression changes the identity problem because governance was built for slower, more legible work. Access review, approval, and sign-off models assume there is enough time to observe activity, compare it against policy, and intervene before impact. AI-assisted compression shortens that window and reduces the artefacts those controls depend on. The practitioner conclusion is that governance has to measure work at the speed it is now being executed, not the speed it used to take.

Knowledge compression creates a new trust boundary around retrieval, not just around storage. When a system can surface the right answer in seconds, the control question moves from whether data exists to whether the retrieval path is appropriate, complete, and explainable. That matters for NHI governance because service identities and AI agents often consume this layer directly. The practitioner conclusion is that provenance and entitlement scope matter as much as content accuracy.

Skill compression raises the floor while also hiding the gap between output and assurance. A person can produce functional infrastructure or application logic without holding full domain expertise, but the review burden does not disappear. It shifts onto the organisation, which must decide where expert judgment remains mandatory and where speed is acceptable. The practitioner conclusion is that access to powerful tooling should be paired with stronger review thresholds, not weaker ones.

Identity programmes should treat compressed workflows as a signal that control points are disappearing, not that risk has been reduced. Faster delivery can make teams feel more efficient while quietly removing the checkpoints that make attribution, certification, and exception handling possible. That is especially relevant where humans, service accounts, and AI systems all touch the same workflow. The practitioner conclusion is to redesign governance around the new shape of execution, not the old one.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• That same research found that only 44% of organisations have implemented any policies to govern AI agents, even though 92% say governance is critical to enterprise security.
• For a deeper control lens, read OWASP Agentic AI Top 10 for the runtime risks that compressed workflows can amplify.

What this signals

Knowledge compression becomes a governance issue the moment retrieval feeds production decisions. When systems compress research into a single answer, the organisation must decide whether provenance, entitlement scope, and human review are still mandatory before the output is acted on. That is especially relevant as AI adoption continues to expand faster than governance maturity, with 98% of companies planning even more AI agents within 12 months according to AI Agents: The New Attack Surface report.

Compression is also a useful way to think about identity blast radius. The fewer steps a workflow needs, the faster a mistake or misuse can travel from query to production impact. Teams should expect shorter attack and error windows, then design controls that preserve traceability even when execution is highly compressed.

As AI tooling reduces the number of visible checkpoints, security and compliance teams need a different operating assumption: if a workflow can be finished in one session, it can also outpace a review cycle. That is why runtime authorization, stronger logging, and tighter delegation rules matter more as execution gets faster.

For practitioners

• Map which approvals disappear under AI-assisted delivery Identify workflows where briefs, review cycles, tickets, or QA gates no longer appear because one person can complete the task in a single session. Rebuild control points where those missing steps previously provided accountability, especially for production access and sensitive data handling.
• Separate retrieval speed from governance trust Require source provenance, entitlement checks, and review rules for any workflow that compresses knowledge retrieval into a single query path. Fast answers should not mean unverified answers, particularly when service accounts or AI agents consume the output.
• Preserve expert review where compression hides error Mark infrastructure, security, and accessibility tasks that can be drafted quickly but still need specialist sign-off before deployment. Use a deliberate review threshold for decisions that can create lasting blast radius even when the initial work was compressed.
• Rebuild training paths around evaluated work, not only production output If juniors learn less by doing repetitive groundwork, create structured review and feedback loops that expose them to edge cases, failure analysis, and exception handling. That preserves the judgement-building function that compressed workflows tend to remove.

Key takeaways

• AI tooling compresses knowledge retrieval, execution time, and skill requirements, which changes the governance shape of work as much as the work itself.
• Compression creates hidden lossiness, because the artefacts and review points that normally support accountability can disappear when workflows shrink.
• Security and IAM teams should respond by preserving provenance, review thresholds, and traceability wherever speed removes the old control surface.

Key terms

• Knowledge Compression: Knowledge compression is the reduction of time and effort needed to find usable information. In AI workflows, retrieval systems and semantic search make large corpora feel immediate, but the trade-off is narrower discovery and less accidental context, which can matter when decisions rely on completeness rather than speed.
• Time Compression: Time compression is the shrinking of multi-step work into a shorter execution window. AI-assisted workflows can eliminate handoffs, tickets, and repeated coordination, which improves speed but also reduces the artefacts that governance teams use to verify what happened and who approved it.
• Skill Compression: Skill compression is the narrowing gap between understanding a task and being able to produce a usable result. It lets non-specialists ship credible output faster, but the organisation still has to decide where expert review remains mandatory because good enough output is not the same as assured output.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause when access is misused or mis-scoped. In compressed workflows, the blast radius can grow quickly because fewer checkpoints sit between a decision, the access that enables it, and the production impact that follows.

Deepen your knowledge

AI-assisted workflow compression and its identity governance implications are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning access controls for faster execution paths, it is worth exploring.

This post draws on content published by WorkOS: Knowledge compression, time compression, skill compression. Read the original.