Kong’s AI productivity claim raises new IAM governance questions

At a glance

What this is: This is Kong’s commentary on Gartner research linking AI tools to faster product delivery, with the key finding that AI is being used to compress product cycles by roughly 35%.

Why it matters: It matters because IAM, NHI, and AI governance teams are being pushed to manage faster-moving systems, where workflow speed can outstrip access review, control validation, and policy enforcement.

By the numbers:

• Companies using AI tools for product management are reaping a significant 35% productivity gain.

👉 Read Kong’s blog post on Gartner’s AI productivity findings and internal AI adoption

Context

The core issue here is not whether AI can speed up product work, but what happens to governance when delivery cycles shorten faster than identity controls adapt. In practice, faster prototyping and AI-assisted workflows change how access, approvals, and accountability are exercised across the toolchain, especially when teams move from static documentation to prompt-driven execution.

For IAM and NHI practitioners, this is a reminder that velocity changes the control environment. When product teams use AI to generate code, validate ideas, and iterate locally, the identity problem shifts toward who or what can invoke tools, make changes, and move work forward without clear human checkpoints.

Kong frames this as internal AI adoption, but the broader pattern is typical across enterprise teams trying to operationalise AI without redesigning governance at the same pace.

Key questions

Q: How should security teams govern AI-assisted product workflows?

A: Security teams should map the entire AI-assisted workflow, from prompt creation to prototype output to downstream system changes, and attach identity controls at each step. That means logging who initiated the action, which tools were used, what access was granted, and when the change left experimentation. The objective is traceability, not just speed.

Q: Why do AI-driven development cycles create identity governance risk?

A: AI-driven development cycles create risk because they increase the number of temporary accounts, ephemeral permissions, and fast-moving changes that do not fit periodic review models. Identity teams lose visibility when access is created, used, and discarded before the next governance checkpoint. That makes lifecycle control and audit logging more important than traditional approval cadence.

Q: What do organisations get wrong about AI productivity in product teams?

A: Organisations often treat AI productivity as a pure engineering gain and ignore the control changes it requires. Faster delivery changes how entitlements are requested, approved, and revoked, and it can hide shadow access paths inside prototyping workflows. Governance has to follow the work, not just the platform.

Q: Who should own governance for prompt-to-prototype workflows?

A: Ownership should sit jointly with product leadership, IAM, and security operations because prompt-to-prototype workflows affect both delivery and control. Product teams define the workflow, but identity teams must define the approval gates, account lifecycle rules, and audit requirements. Without shared ownership, AI adoption outpaces accountability.

Technical breakdown

Prompt-driven product workflows and control compression

Prompt-driven workflows move product work from linear documentation into rapid generate, test, and discard cycles. That changes the security profile because approvals, traceability, and change control become harder to anchor to a single artifact such as a PRD. In identity terms, the system is no longer governed by static request and approval steps alone, but by the controls around who can create, modify, and trigger AI-assisted work. The risk is not the use of AI itself, but the collapse of review points that traditional governance assumes will exist.

Practical implication: map every AI-assisted workflow to the identity checkpoints that still exist, then identify where approvals have been replaced by speed.

AI-generated prototypes and the identity of the builder

When prompts feed directly into prototyping tools, the builder is no longer only a human developer or product manager. The workflow becomes a blend of human intent, machine-generated output, and toolchain execution, which creates a governance problem around provenance and accountability. Teams need to know which actions are attributable to a person, which are machine-generated, and which are automatically propagated into downstream systems. Without that separation, audit trails become descriptive rather than authoritative.

Practical implication: require provenance capture for prompt-to-prototype flows so teams can distinguish human decisions from machine-generated changes.

Why fast iteration increases identity and access review pressure

Fail-fast development reduces the cost of discarding bad ideas, but it also increases the number of transient environments, temporary entitlements, and short-lived tool connections. That pattern is familiar to NHI governance because ephemeral access often escapes normal review cadence. The more often teams spin up tools, credentials, and integrations to support experimentation, the more likely access becomes functionally invisible between formal reviews. The control challenge is not just privilege level, but entitlement churn.

Practical implication: treat AI prototyping environments as high-churn identity estates and review them with the same discipline used for NHI lifecycle controls.

NHI Mgmt Group analysis

AI-driven product velocity creates an identity governance lag. Gartner’s finding is not just a productivity story. It signals that teams are adopting AI faster than they are redesigning the controls that govern access, change approval, and auditability. The practitioner conclusion is that delivery acceleration now has an identity management cost attached to it.

Prompt-to-prototype workflows blur the boundary between human intent and machine action. When prompts become the product spec, the governance question shifts from document control to action control. That matters because IAM and NHI programmes are built to manage defined subjects and stable entitlement states, not rapid conversational workflows that generate code and tool use in near real time. The practitioner conclusion is that provenance becomes part of access governance.

Entitlement churn is the hidden risk behind fail-fast AI adoption. Teams that rebuild, discard, and reissue prototypes at speed tend to create transient access patterns that are hard to review after the fact. This is a governance pattern, not a tooling issue, and it shows up first in temporary accounts, sandbox access, and short-lived integrations. The practitioner conclusion is that lifecycle control must move as quickly as experimentation does.

Fast-moving AI adoption is forcing identity teams to govern the development process, not just the platform. Kong’s internal adoption story reflects a broader market shift where AI is no longer a sidecar but a workflow primitive. That means security leaders must evaluate how product teams use AI, who can authorise those uses, and where approval gates were silently removed. The practitioner conclusion is that governance now starts inside the workflow design phase.

Workflow speed is becoming a control-plane problem for IAM and NHI teams. The more a team treats AI as a production accelerator, the more that access, audit, and provenance controls need to behave like operational infrastructure rather than periodic compliance tasks. This aligns closely with NIST CSF and zero trust thinking, where continuous verification matters more than periodic trust. The practitioner conclusion is to manage speed as an access-risk multiplier.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including unauthorised access, sensitive data sharing, and credential exposure.
• That gap is why teams should also look at OWASP Agentic AI Top 10 when AI-assisted workflows move from experimentation into production.

What this signals

AI-assisted delivery will force identity teams to move from periodic review to workflow-level governance. When product teams use AI to compress time-to-market, the control question becomes whether access, approval, and traceability still exist at the point of action. The teams that can prove provenance in prompt-driven workflows will be better placed to keep AI adoption inside governance boundaries.

Prompt-to-prototype pipelines are becoming a new identity surface. That surface includes human users, temporary environments, and machine-generated changes that may never pass through traditional change boards in a recognisable form. Identity leaders should expect more pressure to treat experimentation systems as governed estates, not disposable sandboxes.

As AI speeds up product work, lifecycle discipline becomes the difference between controlled iteration and unmanaged sprawl. Use the NHI Lifecycle Management Guide to anchor provisioning, review, and offboarding decisions where temporary access is most likely to be overlooked.

For practitioners

• Inventory AI-assisted product workflows List every workflow where prompts, generated output, or AI tools can create changes in code, design, or configuration. Tie each workflow to the identities, service accounts, and approvals that make it possible so you can see where governance is missing.
• Separate human approval from machine execution Require a clear control point before AI-generated output can move from experimentation into shared systems. That should include logging of the originating user, the tool invoked, and the downstream environment touched so audit teams can reconstruct the chain.
• Review transient access as a lifecycle problem Treat short-lived prototype environments, sandbox tokens, and temporary API access as lifecycle-managed identity assets. Remove anything that survives beyond the experiment and tie offboarding to the end of the test or build cycle, not to a later review.
• Apply continuous governance to AI toolchains Use policy and monitoring to track who can create, modify, and trigger AI-assisted work across the product stack. The goal is to keep pace with rapid iteration without letting undocumented access paths accumulate in development systems.

Key takeaways

• AI productivity gains are creating a governance gap when teams accelerate delivery without redesigning identity controls.
• The main security issue is not AI-generated output itself but the increase in transient access, reduced traceability, and hidden workflow exceptions.
• IAM teams should treat prompt-to-prototype pipelines as governed identity surfaces and apply lifecycle discipline to every temporary entitlement.

Key terms

• Prompt-to-prototype workflow: A prompt-to-prototype workflow is a development pattern where AI-generated prompts directly produce working prototypes or code-adjacent outputs. It shortens the path from idea to execution, but also compresses review, provenance, and approval steps that identity teams normally rely on to control change.
• Entitlement churn: Entitlement churn is the rapid creation, modification, and removal of access rights across short-lived systems or workflows. In AI-enabled delivery environments, it often appears as temporary accounts, sandbox permissions, and disposable integrations that escape normal lifecycle oversight if they are not tracked continuously.
• Workflow provenance: Workflow provenance is the evidence trail showing who initiated a process, which tools were used, and what outputs were created or changed. For AI-assisted work, it is essential because it separates human intent from machine-generated action and makes audit and accountability possible.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Kong: Gartner Recognizes Kong as a Progressive AI Adopter. Read the original.