Permiso leadership changes signal rising demand for identity security

At a glance

What this is: Permiso Security says it is expanding its leadership team as demand for identity security grows across human, non-human, and AI identities.

Why it matters: For IAM practitioners, this signals that identity governance is increasingly being evaluated as one programme across NHI, AI and human access rather than as separate tooling silos.

👉 Read Permiso Security's update on leadership growth and identity security demand

Context

Identity security is now being judged by how well it can inventory, govern, and detect risk across every identity type, not just human users. In Permiso Security's case, the article frames growth around a broader enterprise problem: hybrid environments now contain human, non-human, and AI identities that all need lifecycle control and threat visibility.

The practical gap is not awareness of identity risk, but programme fragmentation. When identity inventory, posture management, and identity threat detection sit in separate workflows, security teams lose the ability to see how credentials, service accounts, and AI-linked access combine into one exposure pattern.

Key questions

Q: How should security teams inventory identities across cloud, SaaS, and AI systems?

A: They should use one inventory model that includes human users, NHIs, and AI-linked identities, then map each identity to an owner, purpose, and access boundary. Separate spreadsheets or point tools leave gaps between discovery and governance, which is where privilege drift and credential abuse hide.

Q: Why do non-human identities increase identity security risk in hybrid environments?

A: Non-human identities often persist longer than the workflows that created them, and their access is frequently less visible than human access. In hybrid environments, that creates standing privilege, weak ownership, and delayed offboarding, all of which expand the attack surface for credential abuse and lateral movement.

Q: What do security teams get wrong about identity posture management?

A: They often treat posture as a list of misconfigurations instead of a measure of whether access still matches identity purpose. The better test is whether the identity is still needed, still owned, and still constrained to a valid workload, team, or process.

Q: How should teams respond when AI makes impersonation harder to detect?

A: They should rely more heavily on identity behaviour baselines, entitlement scope, and access path anomalies. When impersonation becomes more convincing, the programme must shift from visual trust in the request to continuous verification of who or what is using the identity.

Technical breakdown

Identity inventory across hybrid environments

Identity inventory is the control plane that tells teams what identities exist, where they live, and what they can reach. In hybrid and multicloud estates, that includes human users, service accounts, API keys, tokens, certificates, and AI-linked identities. The technical issue is not just discovery, but correlation across cloud, SaaS, and infrastructure layers so teams can distinguish active identities from stale or duplicated access. Without that baseline, posture and detection tools are operating on incomplete data and cannot reliably score exposure.

Practical implication: build a complete identity inventory first, then use it as the reference layer for access review and detection.

Identity posture management and privilege drift

Identity posture management is the assessment of whether identities are configured and scoped in line with policy. The core failure mode is privilege drift, where access accumulates faster than governance can reset it. That drift matters most for NHIs because machine access often persists silently, and for AI workflows because access can expand through new integrations before review cycles catch up. A posture engine only works if it can map entitlement scope to identity type and business function, not just record that an account exists.

Practical implication: measure standing privilege against identity purpose, not against account count alone.

Identity threat detection in credential-abuse chains

Identity threat detection looks for misuse patterns such as impossible travel, unusual token use, credential replay, and access from unfamiliar execution paths. In current enterprise attacks, the identity layer is often the first reliable signal because threat actors increasingly enter through stolen credentials rather than malware. For NHIs and AI-associated identities, the detection challenge is separating legitimate automated behaviour from abuse that looks operationally normal. That means detections must be identity-aware, context-aware, and tied to expected privilege boundaries.

Practical implication: tune detection rules to identity behaviour baselines, especially for service accounts and AI-linked access.

Threat narrative

Attacker objective: The attacker seeks durable access that can be used to disrupt systems, extract value, or pressure the organisation through impersonation and credential abuse.

1. Entry begins with stolen identities or compromised credentials, which lets attackers authenticate as a legitimate identity rather than forcing a noisy exploit path.
2. Escalation follows when the attacker uses that trusted access to move through cloud, SaaS, or hybrid records and systems with little resistance from controls built for user logins.
3. Impact arrives as system disruption, data access, or ransom pressure, with AI-driven impersonation making fraudulent activity harder to distinguish from normal identity use.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security is being reorganised around the full identity fabric, not individual identity silos. The article reflects a market reality that human IAM, NHI governance, and AI identity controls are converging into one operating problem. Security teams are no longer being asked to secure separate identity classes in isolation; they are being asked to understand how access, posture, and detection interact across all of them. The practitioner conclusion is that programme design now needs a single identity control model with differentiated treatment by actor type.

Identity inventory is becoming the prerequisite for every other control. If a team cannot reliably enumerate identities across cloud and SaaS, it cannot govern posture or detect misuse with confidence. This is especially true for NHIs, where unmanaged accounts and tokens often outlive the workflows that created them. The implication is that discovery is no longer a hygiene task at the edge of the programme; it is the foundation of identity governance.

AI makes impersonation more convincing, which raises the value of identity-layer detection. As the article notes, AI can make deception harder to spot, but that does not change the control logic. It does increase the need for behavioural baselines that distinguish expected automation from suspicious access paths. The practitioner conclusion is to treat identity telemetry as a core detection source, not as an auxiliary signal.

Privilege scope, not account volume, is the real exposure metric. The article talks about helping teams inventory and secure their entire identity fabric, and that is the right framing. Large identity populations are a problem only when entitlement scope grows faster than lifecycle governance. The practitioner conclusion is to focus on where access persists, who can reuse it, and which identities have drifted beyond their original purpose.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• From our research: Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• With that gap in mind, the case for tighter identity governance now extends beyond static credentials into AI agent controls and lifecycle discipline, a pattern explored in Ultimate Guide to NHIs.

What this signals

Identity programmes are moving from account administration to identity fabric management. That shift means teams will be judged on whether they can connect discovery, posture, and threat detection across the same estate, not whether they can report on each discipline separately. The organisations that treat human IAM, NHI governance, and AI-linked access as one control surface will have a clearer path to reducing exposure.

With 70% of organisations already granting AI systems more access than human employees in equivalent roles, per the 2026 Infrastructure Identity Survey, the access model itself is drifting away from human-era assumptions. That means practitioners should expect more entitlement exceptions, more owner ambiguity, and more pressure on governance workflows that were designed around employees rather than machine actors. The programme response is to re-baseline access policy around identity type and execution context.

Identity telemetry is becoming a board-relevant signal because impersonation now blends into normal operations. As AI increases the realism of fraudulent access behaviour, security leaders need sharper distinctions between expected automation and abuse patterns. That makes identity behaviour analytics and access lineage part of resilience planning, not just IAM operations.

For practitioners

• Unify identity discovery across all identity types Create one inventory that covers human users, service accounts, API keys, tokens, certificates, and AI-linked identities across cloud and SaaS. Use that inventory as the source of truth for review and detection.
• Measure standing privilege against identity purpose Review entitlements by why the identity exists and what system it should reach. Flag identities whose access no longer matches current function, ownership, or environment.
• Tune detections for identity behaviour baselines Build alerts around unusual token use, abnormal authentication paths, and access patterns that differ from normal automation. Separate expected machine behaviour from suspicious identity reuse.
• Collapse identity and threat operations into one workflow Route inventory findings, posture drift, and identity threat alerts into a single triage path so entitlement issues are evaluated alongside active misuse signals.

Key takeaways

• Permiso's leadership changes reflect a broader market shift toward unified identity security across human, non-human, and AI identities.
• The operational problem is no longer just account creation or access review, but whether identity inventory, posture, and detection are connected well enough to catch drift and abuse.
• For practitioners, the priority is to build one identity fabric view that can support ownership, entitlement control, and identity-aware threat detection.

Key terms

• Identity Fabric: The combined set of identities, entitlements, ownership, and telemetry that a security team must govern as one environment. It spans human, non-human, and AI-linked identities, letting practitioners connect discovery, access, posture, and detection instead of managing each in separate tools or teams.
• Identity Posture Management: The practice of measuring whether identities are configured and scoped according to policy, purpose, and ownership. It focuses on entitlement drift, excessive access, stale credentials, and misaligned permissions, especially where machine and AI identities can accumulate access silently over time.
• Identity Threat Detection: The detection of suspicious identity behaviour such as unusual token use, abnormal authentication paths, and access that departs from known baselines. It is identity-aware monitoring that helps distinguish legitimate automation from compromised or abused credentials across hybrid environments.
• Standing Privilege: Access that remains active after the need for it has passed, creating a persistent exposure window. In identity programmes, standing privilege is especially risky for non-human identities because it can survive long after the workload, integration, or owner that justified it has changed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Permiso Security: Permiso builds leadership team for next stage of growth as demand builds for identity security protection. Read the original.