TL;DR: Four CISOs argue that generative AI is already changing security strategy, with immediate action needed to protect security infrastructure and separate real risk from hype, according to Abnormal AI’s Vision 2024 webinar. The governance question is no longer whether AI matters, but which identity, access, and control assumptions need to be rewritten now.
At a glance
What this is: This on-demand webinar captures four CISOs discussing how generative AI is altering cybersecurity strategy and what security leaders should do next.
Why it matters: It matters because AI changes the assumptions behind access, monitoring, and governance across NHI, autonomous, and human identity programmes, so IAM teams need a clearer control model now.
👉 Watch Abnormal AI's on-demand webinar on generative AI and cybersecurity strategy
Context
Generative AI is pushing security leaders to rethink where trust sits in the identity stack, because the same controls that work for people and static machine accounts do not automatically fit AI-driven workflows. In this webinar, four CISOs separate practical concerns from marketing noise and focus on what security teams are already changing.
For IAM and security architecture teams, the central issue is not the novelty of AI itself but the governance gap it exposes. As AI becomes part of security operations and decision support, organisations need to decide whether existing access, lifecycle, and oversight models can still describe who or what is acting at runtime.
Key questions
Q: How should security teams govern AI use inside cybersecurity operations?
A: Security teams should treat AI use in cybersecurity operations as part of identity governance, not as a separate innovation workstream. Define who owns the workflow, what the AI may influence, what it may execute, and which decisions still require human approval. Then include those flows in access reviews, logging, and exception handling so the control record matches runtime reality.
Q: Why do generative ai initiatives create IAM and IGA risk?
A: Generative AI creates IAM and IGA risk because it can change how decisions are made, who is considered accountable, and how quickly actions happen. If the organisation cannot show the identity behind the AI-enabled step, the audit trail becomes incomplete. That weakens certification, escalation, and incident review across human and machine workflows.
Q: What should organisations check before letting ai influence security decisions?
A: Organisations should check whether the AI is advisory, delegated, or directly authorised to act. They should also verify the data scope, logging, approval path, and rollback options for each security workflow. If any of those are unclear, the organisation has a governance gap, not just a technical integration issue.
Q: Who is accountable when ai-enabled security tooling causes a bad decision?
A: Accountability should sit with the business owner of the workflow and the security owner of the control, not with the AI system itself. The team must be able to show who approved the AI’s role, what authority it had, and how the decision was reviewed after the fact. Without that, the organisation cannot defend the control in audit or incident response.
Background and context
How generative ai changes the security control plane
Generative AI changes the security control plane by introducing systems that can influence decisions, recommend actions, and sometimes trigger downstream workflows faster than traditional review cycles can keep up. Even when the AI is not autonomous, it can still reshape how access is requested, approved, monitored, and audited. That creates pressure on identity governance because the control plane now has to account for machine-mediated decision paths, not just human users and static service accounts. The practical question is whether policy, logging, and review processes can still keep pace with AI-shaped execution.
Practical implication: map where AI now influences access, approval, and monitoring so control ownership is explicit before workflows drift.
AI-native cybersecurity and the identity boundary
AI-native cybersecurity tools are being discussed as part of the future protection stack because they can process behaviour and signals at machine speed, but that also sharpens the identity boundary problem. When a security product or workflow uses AI, teams still need to know what identity it acts under, what data it can reach, and which actions remain human-approved. Without that separation, AI can become another hidden privilege layer rather than a governed capability. The issue is less about AI performance and more about identity accountability.
Practical implication: require every AI-enabled security workflow to have a named identity, a scope, and a review path.
Why ai governance now belongs in iam conversations
AI governance is no longer a side topic for security strategy because it intersects directly with identity assurance, privileged access, and lifecycle control. If AI systems are advising or initiating security actions, then access reviews, logging, and escalation paths must account for both the human operator and the machine-mediated step in between. That is especially important where AI influences incident response, policy tuning, or access recommendations. Identity teams should treat AI as a governance participant, not only a technology feature.
Practical implication: include AI-driven workflows in IAM and IGA scoping so accountability is assessed end to end.
NHI Mgmt Group analysis
Generative AI is now an identity governance problem, not only a security tooling topic. Once AI shapes access decisions, escalations, or analyst workflows, the control question moves from model quality to who is accountable for machine-mediated action. That makes IAM, IGA, and PAM teams part of the AI discussion whether or not the organisation has a formal AI programme. Practitioners should treat AI-in-security as a governance domain that crosses team boundaries.
Security leaders are really signalling that AI compresses the time available for human review. The webinar’s value is not the hype around AI-native tools but the recognition that AI speeds up decision paths faster than legacy approval and recertification cycles can comfortably absorb. That matters across human IAM, NHI, and automated workflows because lifecycle governance assumes the actor remains observable long enough to be reviewed. Practitioners should reassess which controls depend on slow, human-paced checkpoints.
AI-native cybersecurity will push identity teams to define where runtime authority begins and ends. If an AI-enabled system can recommend, prioritise, or trigger a security response, then the enterprise must still decide whether that action was advisory, delegated, or directly executed. The market is moving toward tools that collapse those distinctions, which increases the need for clear identity boundaries and auditability. Practitioners should expect more demand for explicit machine identity and action traceability.
Abnormal AI’s webinar reflects a broader market shift toward operational AI literacy inside security teams. The organisations that gain the most value will not be the ones that adopt AI fastest, but the ones that can govern AI use without weakening access control or oversight. That means treating AI as part of the identity fabric, not a separate innovation layer. Practitioners should use this moment to align security architecture, governance, and operating model decisions.
Identity lifecycle assumptions are under pressure whenever AI begins to participate in decision making. Traditional governance was designed for actors whose privileges persist long enough to be reviewed on a schedule. That assumption weakens as AI shortens decision loops and increases the number of machine-mediated actions that never fit a standard review window. The implication is that lifecycle policy, not just security tooling, needs to be re-evaluated.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree governance is critical to enterprise security, according to the same research.
- That gap makes AI governance a programme issue, not a point control issue, and the broader NHI evidence base on privilege, visibility, and review depth is available in The 52 NHI breaches Report.
What this signals
AI in security will increasingly be judged by whether it can be governed, not just whether it can be deployed. With 80% of organisations already reporting AI agents acting beyond intended scope, the operational question for IAM and security leaders is where those behaviours sit in the control stack and how they are recorded in reviews. Teams that cannot map AI-mediated actions into their governance model will struggle to defend access decisions, even when the technology appears effective.
Machine-mediated decision paths are now part of identity architecture. That means the next phase of IAM work is not only about authenticating users or rotating secrets, but about identifying where AI changes who can act, when action occurs, and how evidence is retained. The organisations that succeed will formalise AI boundaries inside governance and lifecycle processes before the exceptions become normal.
Security programmes should expect more demand for traceability across advisory, delegated, and automated flows. That is where the identity boundary becomes operational, and where programmes aligned to the NIST SP 800-63 Digital Identity Guidelines and NIST AI 600-1 Generative AI Profile will have a clearer basis for control design.
For practitioners
- Define AI-in-security identity ownership Assign a named business and technical owner to every AI-enabled security workflow, including the systems that generate recommendations, trigger actions, or tune policy. Record the identity used, the scope of authority, and the approval boundary for each workflow.
- Add AI-mediated steps to access reviews Extend access certification and recertification scope to include workflows where AI influences decisions about access, escalation, or containment. Review the human and machine steps together so the governance record shows who decided, what the AI contributed, and what executed.
- Separate advisory from delegated authority Document where AI is advisory only and where it is allowed to initiate action, then apply different logging and escalation rules to each case. This avoids treating machine suggestions as if they were approved actions.
- Inventory AI-exposed security controls Map which security processes now rely on AI for prioritisation, triage, or response, then test whether those controls still have clear audit trails and escalation paths. If they do not, treat the gap as a governance issue rather than a feature request.
Key takeaways
- Generative AI is altering security governance by speeding up decision paths and blurring the line between advisory output and delegated action.
- The practical risk is not hype alone but incomplete accountability, because AI-mediated workflows can outpace existing review, logging, and certification cycles.
- IAM teams should bring AI-enabled security processes into the same governance model used for human and machine identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | AI-enabled security workflows raise agentic control and misuse concerns. |
| NIST AI RMF | AI governance and accountability are central to the webinar's message. | |
| NIST CSF 2.0 | PR.AC-4 | Identity governance must cover AI-mediated access and control decisions. |
Apply GOVERN and MAP functions to assign ownership, document context, and assess AI-driven security risk.
Key terms
- AI-mediated workflow: A workflow in which artificial intelligence influences, recommends, or triggers part of the control path. In identity terms, the key issue is not whether the AI is impressive, but whether the organisation can define its authority, evidence trail, and human override path.
- Delegated authority: Permission granted to a system or process to take action on behalf of a human or another control layer. For AI security use cases, delegated authority must be bounded clearly so that recommendation, approval, and execution are not confused in audit or incident response.
- Identity governance: The discipline of controlling who or what can access resources, under what conditions, and with what evidence for review. For AI-enabled environments, governance must extend beyond people and static machine accounts to workflows where machine decisions influence security actions.
- Machine identity: A non-human identity used by a system, workload, or automated process to authenticate and interact with other systems. In AI-driven security environments, machine identity also includes the identities under which AI-enabled workflows operate and are audited.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: CISO Chat(GPT): How Top Brands are Using AI in Cybersecurity. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
