TL;DR: Security leaders from Wiz, Rubrik, Noname, and Abnormal discuss the threats targeting their own companies, how they prioritise defensive tools, and why automation is becoming more important amid the cybersecurity skills shortage, according to Abnormal AI. The resource is best read as a signal that operational pressure is driving security teams toward automation and tighter prioritisation, not as a product story.
At a glance
What this is: This on-demand webinar brings together security leaders to discuss the threats, tooling priorities, and automation pressures shaping their own defensive programmes.
Why it matters: It matters to IAM practitioners because the same scarcity, prioritisation, and automation pressures are reshaping governance for human identities, NHIs, and agentic systems.
👉 Watch Abnormal AI's on-demand webinar on security leaders, threats, and automation
Context
The central problem here is governance under pressure: security teams are being forced to defend more surfaces with fewer people, which changes how identity and access decisions get made. In practice, that affects not only human IAM operations but also NHI lifecycle controls and any emerging agentic access model.
The webinar is useful because it shows how senior security leaders think about threat prioritisation when the defensive backlog never ends. That is a familiar pattern for identity teams, where access scope, tool sprawl, and operational drag all compete for attention at once.
Key questions
Q: How should security teams decide which identity controls to automate first?
A: Start with high-volume, repeatable tasks that create delay when handled manually, such as access review routing, entitlement reminders, and offboarding follow-up. Then preserve human approval for exceptional or high-impact access changes. The best candidates are controls that reduce exposure time without removing accountability from the workflow.
Q: Why do security skills shortages affect IAM and NHI governance?
A: Because shortages change how much review and enforcement a team can realistically perform. When staff are stretched, access certifications slip, offboarding is delayed, and exceptions linger longer than intended. That increases the chance that human, machine, or service-account access remains active after the business no longer needs it.
Q: What breaks when security teams rely too heavily on automation?
A: Governance breaks when automation speeds up action without preserving visibility, ownership, and auditability. Teams may still close tickets and process changes, but they lose confidence in why a decision was made and who approved it. That is a control problem, not just an operational one.
Q: Who should own identity decisions when security operations become more automated?
A: Ownership should remain with the control domain that understands the risk, even if execution is automated. IAM, PAM, and security operations each need clear accountability for approvals, exceptions, and review outcomes. Automation should execute policy, not replace policy ownership.
Background and context
Automation in security operations is becoming a governance issue
Automation in this context is not just about efficiency. It becomes a governance layer when teams rely on systems to absorb repetitive defensive work, triage threats, or accelerate response because human capacity is limited. That shift changes who approves, who monitors, and which controls are left to policy rather than direct review. For IAM programmes, the same pressure shows up in access certification, privilege review, and lifecycle tasks that can no longer depend entirely on manual effort.
Practical implication: treat automation as a control plane decision, not only an operations shortcut.
Threat prioritisation is now constrained by identity and skills scarcity
When attack volume keeps rising and staffing does not, security leaders must decide which risks deserve direct human attention and which can be handled through process or tooling. That is especially relevant in identity security because over-privilege, shadow access, and unmanaged machine identities all compete for review time. The result is often uneven governance, where the loudest issue gets attention and the riskiest entitlement remains untouched.
Practical implication: map identity controls to actual operational capacity, not to ideal-state governance models.
Why cybersecurity teams increasingly lean on workflow automation
Workflow automation helps teams standardise repetitive actions such as alert handling, ticket routing, enrichment, and routine access operations. It does not eliminate risk, but it reduces the likelihood that high-volume tasks are delayed or skipped during peak pressure. In identity programmes, that matters because delayed offboarding, late entitlement removal, and manual secret handling all expand exposure windows. The question is not whether automation exists, but whether it is tightly governed enough to avoid creating new blind spots.
Practical implication: automate repeatable identity tasks first, then review where human approval must remain mandatory.
NHI Mgmt Group analysis
Security skills shortages are now an identity governance problem, not just an operations problem. When teams cannot keep up with threat volume, they do not simply work harder. They start changing how access is approved, reviewed, and monitored, which directly affects IAM, PAM, and NHI governance quality. That makes staffing constraints a control risk, not just a resourcing issue. Practitioners should treat capacity as part of the access model.
Automation is becoming the default response to defensive overload, but governance must follow the workflow. If routine security actions move into automation without clear ownership, the organisation can lose visibility into who changed what, when, and on what basis. That is relevant across human identity reviews, machine account operations, and emerging autonomous tooling. The operational win only holds if the governance trail remains intact.
Tool prioritisation is increasingly a blast-radius decision. Security leaders cannot buy or deploy every control at once, so they are forced to decide which identity paths deserve the most scrutiny. In practice, that means prioritising controls that reduce standing access, limit excessive privilege, and shrink the impact of compromised credentials. Practitioners should align tooling decisions to the identities most capable of causing fast, broad damage.
Security teams are signalling a shift toward machine-assisted defence, and identity programmes need to absorb that change. When defensive teams turn to automation under pressure, the same pattern often appears in identity operations, where scale forces standardisation. That does not mean governance becomes optional. It means access review, lifecycle management, and entitlement control must be designed for higher throughput and lower tolerance for manual delay. Practitioners should plan for identity operations that must run at machine speed.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- That gap is why OWASP NHI Top 10 remains a useful reference point for prioritising identity risk across autonomous and machine-led workflows.
What this signals
Automation pressure is no longer confined to SecOps tooling. As teams absorb more tasks into workflow engines and policy-driven systems, identity programmes need clearer ownership boundaries for approval, exception handling, and audit evidence. The practical risk is that speed improves while accountability weakens.
Control debt: the point at which operational shortcuts outpace governance capacity. In identity programmes, that shows up when access reviews, offboarding, and entitlement cleanup are handled faster than the team can verify outcomes. Leaders should use that signal to decide where automation can safely scale and where it must stop.
With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the broader lesson is clear: security programmes that automate without redesigning identity controls inherit the same fragility at higher speed.
For practitioners
- Review where automation already touches identity operations Identify which access reviews, alert triage steps, onboarding tasks, and entitlement changes are already being automated or are candidates for automation. Document the control owner, approval path, and audit trail for each workflow so security and IAM teams can see where decision-making has shifted away from manual review.
- Prioritise identity controls by operational blast radius Rank human accounts, service accounts, API keys, and emerging AI agent identities by the damage they could cause if misused. Put the highest-scope identities first in policy enforcement, review cycles, and exception handling so limited staff time goes to the largest exposure windows.
- Reduce dependence on manual security chores Automate repetitive work such as ticket enrichment, secret expiry reminders, and offboarding prompts so teams can focus on exceptions and high-risk access. Keep human approval where the business impact is highest, but remove manual steps where they mostly create delay and drift.
Key takeaways
- Security leaders are using automation to absorb defensive overload, which makes governance design part of the operational response.
- Limited staff capacity changes which identity controls get enforced, reviewed, and corrected on time.
- Identity teams should automate repetitive work first, then preserve human control where access decisions create the largest blast radius.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Automation and staffing pressure affect governance and risk ownership. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Prioritising access scope is central when defensive capacity is limited. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity lifecycle and secret handling become harder under automation pressure. |
Reduce standing privilege and enforce least privilege where identity blast radius is highest.
Key terms
- Control Debt: The accumulation of governance shortcuts that occur when operational demands outpace a team’s ability to verify, review, and correct identity decisions. It appears when automation, staffing pressure, or process backlog causes access control outcomes to drift away from policy intent.
- Identity Blast Radius: The amount of damage an identity can cause if it is compromised, over-privileged, or misused. For non-human and autonomous actors, blast radius depends on reachable systems, delegated permissions, and how quickly privileges can be revoked or contained.
- Security Workflow Automation: The use of policy-driven tooling to handle repetitive security tasks such as routing alerts, enriching tickets, triggering offboarding, or enforcing routine access steps. In identity programmes, it is useful only when it preserves ownership, evidence, and exception control.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
This post draws on content published by Abnormal AI: security leaders on threats, tools, and automation. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
