TL;DR: Twine says its participation in Anthropic’s Cyber Verification Program adds an independent check for defensive AI security work, where real-time cyber safeguards block risky model use by default and verified organisations can pursue bounded dual-use tasks, according to Twine Security. That matters because trust in agentic AI now depends on inspectable mechanisms, not vendor assurances.
At a glance
What this is: This is Twine Security’s analysis of how Anthropic’s Cyber Verification Program affects trusted AI identity operations and defensive AI use.
Why it matters: It matters because IAM and security teams need to separate model-layer safeguards from action-layer controls when AI is making or assisting identity decisions.
👉 Read Twine Security’s analysis of Anthropic Cyber Verification for trusted AI identity operations
Context
The security problem here is not AI capability on its own, but how defensive AI work is governed when the underlying model can also be used for dual-use or harmful activity. In AI identity operations, the question is whether the system can be trusted to perform security tasks without widening the organisation’s exposure to abuse or weakening approval boundaries.
Twine’s framing is about layered control. Anthropic constrains the model layer through cyber safeguards and verification, while the vendor constrains the action layer through human-in-the-loop approvals, per-action autonomy settings, and audit trails. That separation is the core governance issue for teams evaluating agentic AI in identity workflows.
Key questions
Q: How should security teams govern AI systems that perform identity work?
A: Security teams should separate model trust from execution trust. The model can be verified for defensive use, while the environment still requires scoped permissions, human approvals, and full audit trails. That prevents a verified model from becoming an ungoverned operator inside the identity stack.
Q: Why do AI identity workflows need both verification and approvals?
A: Verification answers whether the model is allowed to support defensive cyber work. Approvals answer whether a specific action should happen in the organisation. Those are different governance questions, and both are required if the AI can influence identity changes, investigations, or remediation tasks.
Q: What do organisations get wrong about trusted AI in security operations?
A: They often collapse trust into a single vendor claim or a single approval step. In practice, trustworthy AI security operations need layered evidence, including model safeguards, customer-side action controls, and records that show who authorised each decision and why.
Q: How can teams evaluate whether an AI vendor is safe for identity operations?
A: Ask which layer is controlled externally, which layer is controlled by your team, and how each layer is audited. If the vendor cannot separate model safeguards from workflow authority, the organisation may be treating a capability label as a governance model.
Technical breakdown
Model-layer safeguards versus action-layer controls
Anthropic’s Cyber Verification Program governs what the foundation model is allowed to do, while Twine’s control membrane governs what the AI digital employee can execute inside the customer environment. That distinction matters because a model can be verified for defensive use without being granted operational authority. In practice, identity teams should treat model permissioning, workflow permissioning, and auditability as separate control planes. The article’s central point is that AI trust is not a single approval event. It is a layered operating model where each layer needs its own policy boundary, evidence trail, and revocation path.
Practical implication: map model access and execution authority to different owners, policies, and review points.
Defensive dual-use work and cyber verification
Identity security often sits close to dual-use territory because defenders must reason about attack paths, standing privilege, orphaned accounts, and abuse scenarios to secure them. Anthropic’s program exists to verify that this work is defensive rather than open-ended offensive experimentation. The technical significance is that the same model capability can be allowed or blocked depending on context, intent, and organisational verification. For practitioners, that means the risk question is not simply whether the AI can reason about abuse, but whether the organisation has a defensible way to constrain and evidence that reasoning.
Practical implication: require explicit defensive-use justification before allowing AI-assisted threat modelling or attack-path analysis.
Per-action autonomy is not the same as model verification
Twine’s description makes a useful separation between autonomy at execution time and verification at the model layer. A verified model still does not automatically gain permission to act independently, because the customer environment can require approvals, scoped action settings, and logging for every step. That is the right mental model for AI identity operations. A system may be allowed to think about risky security problems, but it should still be prevented from taking unrestricted actions. Governance fails when teams collapse those two questions into one.
Practical implication: keep approvals and audit trails in force even when a model has passed defensive-use verification.
NHI Mgmt Group analysis
Layered AI trust is now a control design problem, not a branding claim. The article shows that model-layer verification and action-layer governance answer different questions. Anthropic controls what the model may do, while the vendor controls what the AI employee may execute. Practitioners should treat those as separate evidence requirements, not substitute assurances.
Defensive AI identity work increasingly depends on being allowed to reason about abuse. Identity security teams cannot secure standing privilege, orphaned accounts, or attack paths if the model is forbidden to think about misuse altogether. The important governance question is how to permit that reasoning under bounded, defensible conditions. That is where verification becomes relevant to AI-enabled IAM operations.
Per-action autonomy remains the real enterprise safeguard. Even when a model has been verified for defensive use, enterprise risk still lives in execution authority, approval boundaries, and logging. The post makes clear that autonomy without control is still the non-starter. Practitioners should keep execution governance separate from model trust decisions.
Verified defensive use will accelerate scrutiny of AI identity workflows. As more vendors adopt frontier models for security operations, buyers will ask whether model safeguards, organisational verification, and customer-side approvals line up cleanly. That will push the market toward more explicit control membranes and more auditable AI governance. Teams should expect due diligence to focus on mechanism, not marketing.
Trusted AI identity operations needs a named concept: layered trust enforcement. The model layer, the organisation layer, and the action layer are all distinct enforcement points. That concept matters because it explains why a single “approved AI” label is insufficient for identity security governance. Practitioners should design policies that preserve separation between model permission, workflow authority, and human accountability.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
- For a broader control baseline, read Ultimate Guide to NHIs for lifecycle, rotation, and zero standing privilege context.
What this signals
Layered trust enforcement: AI identity operations will increasingly be judged by whether model safeguards, customer approvals, and auditability are independently visible. That is a governance maturity issue, not a feature checklist item, and it will shape how teams procure and operationalise agentic security tooling.
The confidence gap in non-human identity security is already structural, with only 1.5 out of 10 organisations highly confident in securing NHIs. That is a warning sign for AI-enabled identity workflows, because teams that cannot govern machine identities cleanly will struggle to explain where model trust ends and execution authority begins.
Practitioners should expect due diligence to move from “does the vendor use AI?” to “which layer is controlled, verified, and reversible?” The strongest programmes will treat AI identity controls as a control-membrane problem, then align them with NHI governance and lifecycle review practices.
For practitioners
- Define separate control planes for model and action trust Document which decisions belong to the frontier model provider, which belong to the workflow owner, and which remain with human approvers. Keep verification evidence, approval logs, and operational audit trails in different control records so you can prove each layer independently.
- Gate dual-use identity tasks behind explicit defensive justification Require a documented defensive purpose before allowing AI to perform threat modelling, attack-path analysis, or abuse simulation. Use a review path that checks the use case, not just the model brand, before granting access to those workflows.
- Keep per-action autonomy bounded and reversible Set task-level autonomy settings so the AI can only execute within predefined scopes, and make approvals mandatory for high-impact identity changes. Ensure every action can be traced back to a human owner and revoked without collapsing the workflow.
- Test procurement questions against the control membrane Ask vendors which layer enforces safety, what is verified externally, and how action-level authority is constrained in your environment. This exposes whether the product has real governance depth or only model-side assurances.
Key takeaways
- AI identity trust depends on separate controls for model behaviour and runtime execution, not a single approval label.
- Defensive AI security work must be allowed to reason about abuse scenarios while still being bounded by human governance.
- Identity teams should evaluate AI vendors by control layers, auditability, and reversibility rather than by claims of trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Verifying AI use for defensive cyber work maps to agentic risk governance. | |
| NIST AI RMF | The article is about governance, accountability, and controlled AI deployment. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | AI digital employees operate as non-human identities with scoped access and approvals. |
Inventory AI identities, constrain entitlements, and require revocation paths for every permitted action.
Key terms
- Model-layer safeguard: A model-layer safeguard is a provider-side control that limits what an AI model can say, infer, or help with before any customer workflow is involved. In AI identity operations, it reduces the chance that a model will be used for prohibited or high-risk cyber activity.
- Control membrane: A control membrane is the customer-side boundary that constrains what an AI system may actually execute inside an environment. It typically includes approvals, scoped autonomy, and audit logging, and it matters because model permission does not equal operational permission.
- Per-action autonomy: Per-action autonomy is the practice of allowing an AI system to make or execute decisions only within specific, bounded tasks. It keeps independent action from becoming blanket authority, which is critical when the AI is touching identity, access, or security operations.
- Dual-use security task: A dual-use security task is legitimate defensive work that overlaps with techniques an attacker could also use, such as attack-path analysis or adversarial simulation. The governance challenge is allowing the defensive task without opening the door to unsafe operational use.
What's in the full article
Twine Security's full post covers the operational detail this post intentionally leaves for the source:
- How Twine’s control membrane sets per-action autonomy and approval boundaries for Alex.
- How Anthropic’s Cyber Verification Program scopes verified defensive use at the model layer.
- How the organization-based verification process works, including application, review, and appeals.
- How Twine frames auditability and traceable reasoning for AI digital employee actions.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org