TL;DR: IT leaders are being pushed from keeping systems running to driving innovation, growth, and profitability as AI adoption accelerates, according to JumpCloud's discussion of SME IT Trends Data. The shift matters because IT strategy now shapes business outcomes, but only if identity, access, and operational controls keep pace with the new role.
At a glance
What this is: This is an editorial on how AI is reshaping IT from an operational function into a business-growth engine.
Why it matters: It matters because identity and access programmes must support IT teams that are now expected to enable innovation, not just maintain infrastructure.
👉 Read JumpCloud's perspective on how AI is reshaping IT leadership
Context
IT has moved beyond uptime and ticket resolution into a role that increasingly influences revenue, customer experience, and operating model change. That shift is being accelerated by AI, which is changing what business leaders expect from technology teams and what those teams need from identity and access governance.
For IAM practitioners, the important question is no longer whether IT can keep systems stable. It is whether identity controls, privilege boundaries, and lifecycle processes can support IT as a strategic business function without creating unmanaged access, weak accountability, or shadow automation.
The article frames a familiar enterprise transition, but the governance implication is more specific: as IT becomes a growth engine, the identity surface area expands with it. That is typical of organisations trying to use AI to move faster.
Key questions
Q: How should IT teams govern identity access when AI becomes part of the operating model?
A: IT teams should treat AI-enabled workflows like any other production access path: assign a named owner, define the business purpose, scope permissions tightly, and make revocation explicit. The important shift is governance, not tooling. If AI expands what IT can do, identity controls must expand with the same discipline.
Q: Why do strategic IT programmes create more identity risk if governance does not change?
A: Strategic IT usually increases delegation to service identities, automation accounts, and integration tokens. If governance stays static, those identities accumulate standing access, stale approvals, and unclear ownership. The programme gains speed, but the identity layer loses accountability, making risk harder to see and harder to remove.
Q: What should security teams review first when IT starts using AI to drive business outcomes?
A: Start with the identities that connect AI-supported workflows to core systems. Look for service accounts, API keys, and delegated permissions that were created for speed but never formally recertified. Those are usually the fastest route from business experimentation to unmanaged access.
Q: How do identity controls support IT as a growth engine rather than a cost centre?
A: Identity controls make strategic IT reliable. Access reviews, lifecycle ownership, and least privilege prevent delegated access from turning into sprawl, so the organisation can move faster without losing accountability. That is what allows IT to scale business change instead of merely absorbing operational load.
Technical breakdown
How AI changes the IT operating model
AI changes IT because it shifts the function from reactive service delivery to decision support, process optimisation, and business enablement. In practice, that means IT teams are not only maintaining infrastructure, they are increasingly configuring data flows, automation paths, and access patterns that affect how work gets done. The governance challenge is that these changes often arrive faster than entitlement models, approval chains, and service ownership records can be updated.
Practical implication: identity governance must track new AI-enabled workflows before they become de facto production access paths.
Why strategic IT still depends on identity controls
A strategic IT organisation still depends on the same core controls that underpin secure operations: least privilege, clear ownership, reviewable access, and lifecycle discipline. AI does not remove those controls. It makes them more visible, because faster change creates more opportunities for over-provisioned service accounts, unclear approval responsibility, and access that no longer matches business need.
Practical implication: review whether access governance still matches how IT actually delivers business change, not how the org chart says it should.
Business-aligned IT needs governed delegation
When IT is expected to support innovation, it often delegates more work to platforms, integrations, and service identities. That delegation is healthy only when it is bounded by ownership, purpose, and revocation discipline. Without that, strategic IT turns into access sprawl, where convenience is mistaken for capability and business speed quietly accumulates identity risk.
Practical implication: require explicit ownership and offboarding for every delegated access path created to support AI or automation.
NHI Mgmt Group analysis
AI does not make IT strategic by itself, but it does expose whether identity governance is mature enough to support a strategic IT function. If access, ownership, and lifecycle controls are weak, the organisation will add AI on top of unresolved entitlement drift. The result is faster change with poorer accountability, which is the opposite of strategic maturity.
The real governance gap is not AI adoption. It is the tendency to expand IT responsibility without expanding identity discipline. Teams that ask IT to drive innovation while leaving service account sprawl, informal approvals, and stale delegations untouched are treating access as an implementation detail. That breaks the operating model before it breaks the technology.
Strategic IT increasingly depends on governed delegation across people, workloads, and automated services. The more IT becomes a growth engine, the more it relies on non-human identities to connect systems, move data, and trigger business processes. That makes NHI lifecycle control part of IT strategy, not a back-office hygiene task.
Identity governance is now a business-enablement control, not just a risk-reduction control. If IT is expected to influence profitability and customer experience, then access reviews, ownership records, and revocation paths must be accurate enough to support that mandate. Practitioners should treat identity quality as a prerequisite for strategic delivery.
From our research:
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts.
- Read Codefinger AWS S3 ransomware attack for a direct example of how compromised credentials turn identity weakness into operational impact.
What this signals
The shift from support function to growth engine will force identity teams to treat delegated access as a business design issue, not just an operational control. Identity blast radius: the practical measure of how far one compromised or over-broad identity can reach across systems, data, and workflows. As AI expands IT's remit, that blast radius needs to be mapped before it becomes a production dependency.
With 88.5% of organisations saying their non-human IAM practices lag behind or only match human IAM, according to The 2024 Non-Human Identity Security Report, the gap is already structural. Teams that want AI-enabled IT to support growth should pair that ambition with stronger ownership, lifecycle discipline, and recertification for machine identities.
The next programme question is whether IT leaders can prove that the identities powering AI-enabled delivery are owned, scoped, and revocable. If they cannot, strategy will move faster than governance, and access sprawl will quietly become part of the business model.
For practitioners
- Map AI-enabled IT workflows to identity ownership Document which teams approve, operate, and revoke each access path used by AI-supported IT processes, including service accounts and integration tokens.
- Review delegated access created for operational speed Identify accounts, API keys, and automation identities that were introduced to make IT faster, then confirm they still have a named owner and an approved business purpose.
- Tie access reviews to business-critical IT outcomes Prioritise recertification for identities that support revenue, customer experience, or AI-enabled service delivery, because those are now strategic dependencies rather than routine IT assets.
- Remove stale delegation from AI pilot environments Treat temporary permissions granted for AI experimentation as time-bounded entitlements and revoke them when the pilot ends or changes scope.
Key takeaways
- AI is pushing IT toward a strategic business role, but that shift only works when identity governance keeps pace with delegated access and automation.
- The strongest signal in this discussion is the governance gap between business ambition and identity discipline, especially for service accounts and AI-enabled workflows.
- Practitioners should treat access ownership, lifecycle control, and recertification as prerequisites for strategic IT, not after-the-fact cleanup.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity and access are central to governed delegation in AI-enabled IT. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Standing and delegated non-human access creates the main governance risk here. |
| NIST Zero Trust (SP 800-207) | PA-3 | AI-enabled IT depends on continuous verification of access paths across systems. |
Inventory service identities, secret-bearing accounts, and automation tokens before expanding AI workflows.
Key terms
- Delegated Access: Access granted to a person, service, or automation so it can perform a task on behalf of a business process. In identity governance, delegated access must still have a named owner, a clear purpose, and a revocation path, especially when AI or automation accelerates usage.
- Identity Blast Radius: The amount of systems, data, and workflows that can be reached if one identity is misused or over-provisioned. It is a practical measure of how far access weakness can spread, and it grows quickly when IT teams add AI, integrations, and service accounts without tight scoping.
- Lifecycle Ownership: The assignment of responsibility for approving, reviewing, and revoking an identity across its full life. For machine and automation identities, lifecycle ownership is often weaker than for human users, which is why unclear offboarding becomes a recurring source of access drift.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by JumpCloud: how AI is changing IT from a support function into a growth engine. Read the original.
Published by the NHIMG editorial team on 2025-06-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
