NIST’s Cyber AI Profile puts identity at the center of AI security

At a glance

What this is: NIST’s preliminary Cyber AI Profile says AI security starts with identity governance, ownership, and control over what systems, agents, and service accounts can do.

Why it matters: IAM, NHI, and security teams need to treat AI actions like governed access events because permission scope, accountability, and revocation now determine whether AI is safe to operate.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read ConductorOne’s analysis of NIST’s Cyber AI Profile and AI identity governance

Context

NIST’s Cyber AI Profile is a practical signal that AI security is no longer just about model safety or data protection. The real issue is identity: who or what can act, which permissions it holds, and how those permissions are governed when AI systems are embedded in business operations, security tooling, and decision-making workflows.

That matters because AI systems increasingly behave like governed actors rather than passive software. For identity teams, the question shifts from whether the system is intelligent to whether its access is visible, bounded, and revocable before it can affect production systems or security outcomes.

Key questions

Q: How should organisations govern AI systems that can take actions, not just make recommendations?

A: Treat any AI system that can trigger tools, update records, or influence production as a governed identity. Give it a named owner, tightly scoped permissions, explicit approval rules for sensitive actions, and continuous logging. If the system can act independently, standard model review is not enough on its own.

Q: Why do AI systems create identity risk beyond traditional software?

A: AI systems can combine multiple permissions across models, APIs, service accounts, and integrations, which makes their access path harder to see and revoke. The risk is not just the model’s behaviour. It is the delegated identity chain that allows the model to reach sensitive data or operational controls.

Q: How do security teams know if AI access is properly governed?

A: Look for clear ownership, auditable action logs, least-privilege permissions, and a revocation process that works when the AI’s role changes. If an AI system can keep access after its business need has changed, governance is incomplete. Continuous review is the strongest indicator that control is actually working.

Q: What frameworks should teams use to align AI security with identity controls?

A: Use NIST CSF 2.0 for governance structure, NIST IR 8596 for AI-specific cyber risk, and NIST AI RMF for broader accountability and trust considerations. If the AI system relies on service accounts or delegated credentials, add NHI controls so permissions, revocation, and monitoring stay in scope.

Technical breakdown

AI system identities and permissions

The profile treats AI systems as security-relevant actors because they sit behind models, APIs, datasets, integrations, and service accounts. In practice, this means the risk surface is not the model alone but the identity chain that lets the model retrieve data, call tools, and affect downstream systems. Once AI is integrated into workflows, privilege becomes distributed across multiple control points, including human approvers, machine credentials, and orchestration layers. That is why the article repeatedly returns to ownership, access boundaries, and re-evaluation of risk as the governing problem.

Practical implication: map every AI workflow to the identities and permissions that make it operational.

Governed AI actions versus ungoverned automation

NIST’s guidance draws a line between AI that recommends and AI that acts. When a system can initiate changes, trigger tools, or influence production outcomes, traditional review models become too slow unless approvals, logging, and limits are built into the action path. The security issue is not AI sophistication alone, but the moment AI crosses into execution. At that point, authorisation, accountability, and auditable decision paths matter more than model accuracy.

Practical implication: require approval and logging for AI actions that can change systems or data.

Continuous identity governance for adaptive AI

The profile reflects a shift from static access review to continuous governance because AI systems evolve, learn, and interact with changing data and tooling. That makes periodic certification insufficient on its own. Security teams need to treat permissions, service accounts, and policy boundaries as living controls that must be re-evaluated as the AI environment changes. In identity terms, this is a control-plane problem, not a one-time provisioning problem.

Practical implication: build continuous review into AI access and entitlement management rather than annual recertification alone.

Threat narrative

Attacker objective: The attacker aims to use AI-enabled access and automation to scale abuse, accelerate operations, and reach production systems before defenders can contain the activity.

1. Entry occurs when AI systems are embedded into products, internal tools, and third-party services that already have access to enterprise data and workflows.
2. Escalation happens when those systems are allowed to act autonomously or through service accounts without tight limits on tool use, approvals, or scope changes.
3. Impact follows when compromised credentials, excessive permissions, or unchecked AI actions let attackers scale phishing, reconnaissance, or production misuse faster than human review can respond.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI security is now an identity governance problem, not a model-only problem. NIST’s profile is valuable because it treats permissions, ownership, and revocation as core AI security controls. That aligns with how modern enterprises actually deploy AI, through agents, APIs, service accounts, and third-party integrations. The implication is that IAM and NHI teams are now part of AI security architecture, not downstream consumers of it.

AI system identities need lifecycle governance, not just point-in-time approval. Once AI is tied to live workflows, access can outlast the business case that created it unless ownership, revocation, and scope reviews are continuous. That is a lifecycle problem across machine identity, delegated access, and human accountability. Practitioners should treat AI identity sprawl as an entitlement management issue with operational consequences.

Identity blast radius: the real risk is not whether AI can think, but how far its access can reach when it acts. NIST’s focus on visibility into actions before production impact points to a broader governance truth: every new AI integration expands the possible blast radius of a credential, token, or delegated permission. The practitioner implication is simple, if the access path is unclear, the risk boundary is already broken.

Autonomous behaviour collapses assumptions that static review cycles depend on. Access review is designed for access that persists long enough to be observed, certified, and removed. That assumption fails when AI systems initiate actions dynamically and can change tool use or execution timing within the same operational session. The implication is that identity governance for autonomous behaviour cannot be built on the expectation of stable, reviewable access states.

The market signal is moving from AI adoption to AI governance. NIST’s profile confirms that the next phase of enterprise AI is not about whether organisations will use AI, but whether they can control it with the same discipline they apply to other privileged actors. That shift validates stronger controls around service accounts, delegated permissions, and auditable action paths. Practitioners should expect scrutiny to move from capability to governability.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• That is why practitioners should also review Top 10 NHI Issues for the governance gaps that most often surface when AI and machine identities scale.

What this signals

Identity visibility is the first AI governance bottleneck. Once AI is wired into business processes, security teams cannot govern what they cannot inventory, and service account opacity becomes a direct control failure. The practical signal is that AI programmes will inherit the same visibility problems already seen in machine identity estates, only at higher speed.

Identity blast radius will become the most useful operational concept for AI governance. If a model, agent, or delegated workflow can reach too many systems through one credential chain, the issue is no longer model quality but access geometry. Practitioners should measure how far each AI identity can move before containment is lost.

AI security programmes should now be built with the same discipline used for privileged access, not treated as experimental overlays. When AI actions are auditable, bounded, and revocable, the programme can scale; when they are not, the risk boundary is already too loose.

For practitioners

• Map AI workflows to real identities Inventory every model, agent, API, service account, and third-party integration that can initiate or influence action. Tie each one to an accountable owner, a permission set, and a revocation path so the AI system is governed as an identity-bearing actor, not an abstract feature.
• Bound AI actions before production impact Define which AI actions require approval, which need logging, and which are prohibited entirely. If the system can touch data, trigger tools, or change configuration, enforce a control path that prevents unreviewed production effects.
• Move from periodic review to continuous re-evaluation Treat AI permissions as dynamic entitlements that must be reassessed as models, prompts, tools, and integrations change. Use continuous monitoring to detect scope drift, unused access, and overbroad delegated permissions before they become operational risk.
• Apply least privilege to AI access chains Reduce access at every layer of the AI stack, including service accounts, API keys, and downstream tool permissions. The goal is not only to limit the AI system itself, but to constrain the full delegation chain that lets it act.

Key takeaways

• NIST’s Cyber AI Profile makes identity governance central to AI security because permissions, ownership, and revocation determine whether AI can act safely.
• The operational risk is not only model behaviour, but the access chain behind models, agents, APIs, and service accounts.
• Security teams should move from static AI approvals to continuous entitlement control, with least privilege and auditable action paths as baseline requirements.

Key terms

• AI system identity: The set of credentials, permissions, ownership, and control paths that allow an AI system to act inside an enterprise. It is not the model itself. It is the governed identity layer that determines what the AI can access, what it can change, and who is accountable for those actions.
• Identity blast radius: The amount of damage that can occur when one identity is compromised or over-privileged. For AI and machine identities, blast radius expands when a single credential can reach multiple tools, systems, or datasets. It is a practical measure of how far access can travel before containment fails.
• Delegated access chain: The sequence of identities and permissions that lets one actor act through another, such as a human user, service account, API, or AI agent. Risk rises when any link in the chain is overbroad, poorly owned, or hard to revoke. The chain matters more than any single credential.
• Continuous entitlement review: An ongoing process for checking whether access is still needed, still scoped correctly, and still tied to a valid business purpose. In AI environments, this must happen as systems change, not just on a calendar. Static review cycles miss fast-moving permission drift and can leave stale access in place.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by ConductorOne: NIST’s New Cyber AI Profile Signals a Shift: AI Security Starts With Identity. Read the original.