Constant identity verification is now the baseline for AI-era security

At a glance

What this is: This is Delinea’s argument that identity trust can no longer be assumed in AI-driven environments and must be verified continuously across human and machine identities.

Why it matters: It matters because IAM, NHI, PAM, and human identity programmes now face the same problem: access, authenticity, and accountability all need continuous proof, not periodic review.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Delinea's analysis of constant identity verification in the AI era

Context

AI has accelerated the gap between identity creation and identity governance. When teams can spin up tools, bots, tokens, and machine workflows faster than security can inventory them, identity trust stops being a static property and becomes a runtime decision.

The article’s central point is that organisations must stop treating identity assurance as a one-time check for people or systems. That applies equally to human access, machine identities, and AI-enabled workflows where the real risk is blind trust in who or what is acting.

The underlying governance problem is visibility and verification across a mixed identity estate. If the programme cannot continuously inventory identities, bind access to purpose, and revoke what is no longer needed, then risk accumulates faster than conventional controls can absorb it.

Key questions

Q: How should security teams handle shadow AI without blocking innovation?

A: Security teams should inventory shadow AI first, then assign ownership to the identities, secrets, and data pathways each tool can reach. The goal is not to ban experimentation, but to stop unmanaged access from becoming a hidden production dependency. Controls work best when they are continuous, visible, and tied to actual usage.

Q: Why do machine identities increase identity risk so quickly?

A: Machine identities increase risk because they scale faster than human governance processes and often carry broad, long-lived privileges. When service accounts, tokens, and bots outnumber visible controls, access tends to persist after the business need has changed. That creates an easy path for misuse, lateral movement, and unnoticed exposure.

Q: What breaks when organisations rely on one-time identity checks?

A: One-time checks break when the identity can keep acting after the original trust decision is no longer valid. That is common in AI workflows, bots, and delegated machine access. Security teams then lose the ability to detect scope drift, revoke access quickly, or challenge suspicious behaviour before impact grows.

Q: Who is accountable when continuous identity verification fails?

A: Accountability sits with the team that owns the identity lifecycle, the access policy, and the monitoring of the identity’s actual usage. If a human, machine, or AI-driven workflow can act without clear ownership, then no one can prove who approved the access, who monitored it, or who should revoke it.

Technical breakdown

Continuous identity verification across human and machine identities

Continuous identity verification means access decisions are re-evaluated as conditions change, rather than relying on a single login or a once-per-year review. In AI-heavy environments, this matters because identities can be created, delegated, or abused faster than traditional approval workflows can respond. Risk-based authorization, behavioral signals, and session context become the control surface. For machine identities, the same principle applies to service accounts, tokens, and API keys, which often operate without a person present. The security question is not just who authenticated, but whether the identity should still be trusted at this moment.

Practical implication: move from point-in-time approval to continuous verification for both human sessions and machine credentials.

Shadow AI and exposed credentials widen the attack surface

Shadow AI refers to unmanaged AI tools and workflows introduced outside formal security oversight. The risk is not only unsanctioned software, but the credentials, tokens, and data connections those tools consume. If an employee pastes secrets into a prompt, uploads sensitive data to an external service, or connects a new workflow to internal systems, the attack surface expands without governance visibility. This is an identity problem because the tool often acts with inherited access. The same pattern already shows up in non-human identity abuse: overexposed secrets and weak ownership turn convenience into persistence for attackers.

Practical implication: inventory AI tools and map the identities and secrets they can reach before they become hidden access paths.

Machine identity governance is now part of cyber resilience

Machine identities now outnumber human users in many environments, and that changes resilience planning. Forgotten service accounts, overprivileged bots, and unused credentials create long-lived access paths that survive normal operational churn. Strong resilience is therefore not just about availability and recovery. It also depends on whether identity sprawl can be contained, whether privileged access can be monitored continuously, and whether dormant credentials can be revoked before they become an incident path. The article correctly ties security, trust, and resilience together because identity failure now affects business continuity as much as confidentiality.

Practical implication: treat machine identity lifecycle controls as resilience controls, not just security hygiene.

Threat narrative

Attacker objective: The objective is to obtain trusted access that can be used to move data, impersonate legitimate actors, and bypass normal authorization checks.

1. Entry begins when shadow AI, exposed credentials, or deceptive deepfakes create a trusted-looking access path into the environment.
2. Escalation follows when the identity is overprivileged, poorly monitored, or allowed to keep using inherited access across tools and sessions.
3. Impact occurs when attackers or unsafe workflows move sensitive data, authorize false actions, or expand the attack surface beyond what security can observe.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity trust has become a runtime control problem, not a login problem. The article is right to move beyond authentication as a one-time event, because AI-driven workflows and machine identities can act after the initial check is complete. That shifts the governance burden from access issuance to continuous trust validation across the session, the workflow, and the credential lifecycle. Practitioners should read this as a control-model change, not a messaging update.

Shadow AI is fundamentally an identity governance issue. Unmanaged AI tools matter because they inherit or expose credentials, connect to sensitive data, and create access paths security teams never approved. That makes the real failure mode hidden non-human identity sprawl, not merely unsanctioned software. The field should stop treating shadow AI as a policy exception and start treating it as an unmanaged identity estate.

Machine identity visibility is the new minimum for cyber resilience. When machine identities outnumber humans, a programme that cannot inventory them cannot credibly claim control over access, privilege, or accountability. This is where the article aligns with NHI governance discipline: continuous discovery, ownership, and revocation are not enhancements, they are the baseline for operating at digital speed. Security teams should treat missing visibility as a resilience gap, not a reporting gap.

Constant verification is a named concept for the post-password, post-perimeter era. Identity trust used to be anchored to a successful sign-in and a narrow set of known systems. That assumption fails when people, machines, and AI-enabled workflows all initiate actions at machine speed and can look legitimate while doing the wrong thing. The implication is that access governance now has to be measured by whether trust can be revalidated continuously, not merely granted cleanly.

Least privilege still matters, but the article shows why privilege without lifecycle control becomes a liability. Overprivileged bots, stale service accounts, and unused credentials are all expressions of the same governance failure: access outlives purpose. The discipline here is not new, but the operating tempo is. Practitioners should focus on where identity ownership, monitoring, and revocation lag behind actual usage.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a deeper view of how exposed credentials and unmanaged access paths show up in real incidents, see 52 NHI Breaches Analysis.

What this signals

Constant identity verification is becoming a programme design requirement, not a control preference. As AI tools and machine identities spread, the practical standard shifts toward continuous trust reassessment, especially where access can be inherited or hidden inside workflows. Teams that still rely on static approval points will miss the moments where misuse actually occurs.

With 96% of organisations storing secrets outside of secrets managers, the operational gap is already large enough to make hidden access a routine condition, not an edge case. That means identity governance has to move closer to development, collaboration, and AI usage patterns before the next audit cycle.

Identity blast radius: the combined access a human, machine, or AI workflow can reach once trust is assumed. In practice, the next priority is to reduce hidden reach, shorten credential lifetime, and make revocation visible across every environment that can consume secrets or initiate actions.

For practitioners

• Inventory AI tools and their connected identities Map every AI-enabled workflow, browser assistant, and shadow tool to the secrets, API keys, and service accounts it can reach. Prioritise unmanaged connections first, because they create access paths security cannot govern or revoke cleanly.
• Move to continuous identity verification for risky sessions Use real-time risk signals, behavioral patterns, and session context to re-evaluate trust after initial authentication. Apply this to both human sessions and machine interactions where inherited access can be abused without a fresh approval step.
• Tighten machine identity lifecycle controls Track ownership, usage, rotation, and offboarding for service accounts, bots, and tokens on the same schedule you expect for critical human access. Remove dormant credentials before they become an unobserved path into production systems.
• Reduce exposed secrets in toolchains and prompts Prohibit secrets in code, configs, chat prompts, and unsanctioned AI tools, then monitor for accidental leakage across CI/CD and collaboration platforms. Hidden credentials remain one of the easiest ways to convert convenience into compromise.
• Align identity governance with resilience planning Treat identity inventory, privilege monitoring, and revocation readiness as part of resilience testing. If you cannot prove who or what has access during disruption, you do not have a complete continuity model.

Key takeaways

• AI-era security now depends on verifying identity continuously, because static trust no longer matches how people, machines, and tools operate.
• Shadow AI, deepfakes, and overprivileged machine identities are converging into one governance problem: hidden access paths that traditional controls do not see soon enough.
• Teams should treat discovery, monitoring, rotation, and revocation for machine identities as resilience controls, not optional hygiene.

Key terms

• Shadow AI: Shadow AI is the use of AI tools, assistants, or workflows outside formal security oversight. The risk is not just unsanctioned software, but the hidden identities, data paths, and credentials those tools consume or expose. Governance fails when security cannot see the access the tool inherits.
• Machine Identity: A machine identity is any non-human identity used by software, services, bots, workloads, or AI systems to authenticate and act. It includes service accounts, API keys, tokens, and certificates. These identities need lifecycle control because they often persist longer and reach further than the business task they support.
• Continuous Identity Verification: Continuous identity verification is the practice of re-checking trust throughout a session or workflow, not only at sign-in. It combines context, behavior, and access policy to decide whether an identity should still be trusted. This matters when access can be reused, delegated, or abused after the original check.
• Identity Blast Radius: Identity blast radius is the amount of access, data, and connected systems an identity can reach once it is trusted. The larger the blast radius, the more damage a compromised or misused identity can cause. Reducing it means shrinking privilege, shortening credential life, and improving revocation speed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Why a smarter, riskier world demands constant identity verification. Read the original.