U.S. and U.K. AI governance reveal the limits of birthright access

At a glance

What this is: This is an analysis of how U.S. and U.K. operating norms shape AI governance, security expectations, and identity decisions.

Why it matters: It matters because IAM teams must align access models, human oversight, and contractor governance to the regulatory and cultural context in which AI is used.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read ConductorOne's discussion of U.S. and U.K. perspectives on AI and security

Context

AI governance does not land evenly across markets. In the U.S., organisations tend to move quickly and accept more operational latitude, while the U.K. and Europe place more weight on data protection, human review, and explicit accountability.

For IAM and security teams, that difference matters because access models often mirror local norms. When AI use spreads across regions, programme owners must decide whether identity controls, contractor oversight, and approval paths are being designed for speed or for governed use.

The practical tension is familiar to identity teams: automation can accelerate adoption, but the governance burden does not disappear. It shifts into access review, entitlement design, and the handling of third-party and workforce data in environments where expectations are not uniform.

Key questions

Q: How should security teams implement just-in-time access for AI-related work?

A: Start by tying each privilege grant to a specific task, identity, and expiry condition. Use approval workflows for high-risk access, keep the default state non-persistent, and review whether the request can be satisfied through narrower data or tool permissions. The goal is to prevent standing access from becoming the normal way AI-enabled work is done.

Q: Why do contractor identities create more governance risk than many teams assume?

A: Contractor identities often reach the same systems as employees but are governed with weaker lifecycle controls. That creates risk when access outlives the business relationship, when reviews are infrequent, or when ownership is unclear. The practical issue is not contractor status itself, but whether offboarding and recertification are enforced with the same discipline as workforce accounts.

Q: What breaks when AI adoption outpaces identity governance?

A: Standing permissions, unclear approval paths, and inconsistent regional policy handling start to fail at scale. Teams may assume they can add AI on top of existing IAM, but the result is often more access sprawl, weaker accountability, and controls that do not reflect how work is actually performed across jurisdictions.

Q: Who is accountable when AI output affects employees or personal data?

A: The organisation remains accountable, but the control chain must include a named human decision maker, clear records, and a review path that survives audit. In regulated environments, AI cannot be allowed to operate as an unowned layer between the request and the decision. Human oversight is part of the governance model, not a cosmetic add-on.

Technical breakdown

JIT access and the end of birthright permissions

Just-in-time access provisioned for a specific task removes the assumption that people or systems should retain standing access simply because they need it occasionally. In identity programmes built around birthright permissions, broad access accumulates faster than teams can justify it. The article points to dynamic access control as the answer to long-lived entitlements, which is especially relevant when AI adoption creates more transient, high-risk workflows. In practice, the issue is not whether access is granted, but whether it is still defensible after the task is complete.

Practical implication: move high-risk entitlements into task-scoped approval and expiration paths instead of leaving them persistent.

Why contractor access becomes a security boundary problem

Third-party contractors often sit inside the trusted zone without being governed like employees, even though they can reach the same systems and data. That creates a boundary problem: the organisation inherits their access paths but may not own their lifecycle controls. In the article, contractor-driven compromise is used as a real-world example of how long-standing access can become an entry point. The technical lesson is that third-party identity is not a separate issue from core IAM. It is a direct extension of the enterprise trust boundary.

Practical implication: treat contractor identities as first-class governed accounts with explicit offboarding, review, and segmentation controls.

Human judgment as an access and data governance control

The article’s reference to the right to human judgment highlights a deeper governance point. When AI output affects people, the control problem is not only model accuracy, but whether decisions, records, and workflows preserve a reviewable human path. That same principle carries into identity governance: systems need clear ownership, accountable decision points, and traceable handling of employee data. In regulated environments, human review is not a courtesy layer. It is part of the control architecture.

Practical implication: map AI-assisted people workflows to explicit human approval and audit checkpoints before they become production dependencies.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI governance is becoming a regional identity problem, not just a model-risk problem. The article shows that adoption speed, regulatory tolerance, and security expectations differ sharply between the U.S. and the U.K. That means the same AI capability can demand different entitlement models, approval chains, and oversight controls depending on where it is deployed. Practitioners should stop treating governance as a global template and start treating it as a jurisdiction-specific identity control problem.

Just-in-time access is the right answer to a birthright access failure mode. Long-lived entitlements create an identity blast radius that grows faster than review cycles can shrink it. The piece’s focus on dynamic access control reinforces a simple point: static permissions are poorly matched to temporary work, especially when AI increases the number of short-duration, high-impact requests. The implication is to redesign access for task scope, not organisational convenience.

Third-party access without lifecycle discipline remains one of the most reliable paths into enterprise systems. The article’s contractor examples fit the same failure pattern seen across NHI and human IAM programmes: access outlives the relationship that justified it. That is not a tooling problem alone. It is a governance failure where onboarding is easier than offboarding and access review is not tied tightly enough to actual business need.

Human judgment is not an optional overlay in AI governance, it is the control that keeps automated output accountable. European expectations around disclosure, deletion, and review of AI-influenced people data show that organisations must preserve a human decision path wherever AI affects individuals. IAM teams should read this as a warning that identity, privacy, and AI governance are converging around the same question: who is accountable when the system acts at speed?

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a broader view of how access lifecycle gaps show up in practice, see Ultimate Guide to NHIs and the operational patterns behind NHI offboarding failures.

What this signals

JIT access is becoming the practical bridge between rapid AI adoption and regulated identity governance. As organisations expand AI use across regions, standing privileges become harder to defend and easier to misuse. Teams that still rely on broad entitlements will feel the pressure first in audit findings, contractor sprawl, and delays in approving high-risk workflows.

Identity programmes should expect regional policy divergence to become an operational constraint. The U.S. may tolerate faster deployment paths, but U.K. and EU expectations around human judgment, disclosure, and data handling will force more explicit access decisions. That means governance teams need regional policy overlays, not just a single global access model.

Access lifecycle discipline remains the hidden control plane for AI-era governance. With 91.6% of secrets still valid five days after notification, per the Ultimate Guide to NHIs, organisations cannot assume that remediation keeps pace with exposure. The same lifecycle weakness will affect AI-adjacent access unless review, offboarding, and expiry are designed as part of the programme, not bolted on later.

For practitioners

• Differentiate access policy by jurisdiction Map AI-related identity and access workflows to the regulatory expectations of each operating region. Separate U.S. deployment defaults from U.K. and EU review, disclosure, and data-handling requirements so the same control does not behave differently in practice.
• Replace standing entitlements with task-scoped access Convert high-risk access into just-in-time grants with explicit expiry, approval, and task linkage. This is most urgent where AI-enabled work increases the volume of temporary access requests and makes standing privileges harder to justify.
• Put contractor accounts into the same lifecycle model as employees Assign each third-party identity an owner, review cadence, and offboarding trigger. Contractor access should be revoked when the relationship or use case changes, not left in place because it is administratively easier to preserve.
• Preserve human review for AI-influenced people decisions Require a human decision point for workflows that affect employees, HR records, or other personal data. Track where AI is used in those flows so disclosure, auditability, and accountability remain intact.

Key takeaways

• AI governance differs by region because culture, regulation, and access expectations differ by region.
• Standing privileges and weak contractor offboarding remain the most obvious failure points for identity teams supporting AI adoption.
• Just-in-time access and human review are the controls that most directly align identity governance with this operating reality.

Key terms

• Just-in-Time Access: Just-in-time access is a privilege model that grants permissions only when they are needed for a specific task. In identity governance, it reduces standing exposure, limits blast radius, and makes approval and expiry part of the control design rather than optional admin steps.
• Standing Privilege: Standing privilege is persistent access that remains available outside the moment of need. It is convenient but risky because it accumulates over time, is hard to justify continuously, and can outlive the business case that originally created it.
• Third-Party Identity: Third-party identity is the access footprint used by contractors, vendors, and other external parties inside an enterprise environment. It must be governed as a lifecycle object, with ownership, review, and offboarding controls, because external access can become a durable entry point if left unmanaged.
• Human-in-the-Loop Review: Human-in-the-loop review is a governance pattern that requires a person to validate, approve, or override an AI-influenced decision. It matters most when automated output affects people, regulated data, or high-risk actions where traceability and accountability are mandatory.

Deepen your knowledge

AI governance across regions and just-in-time access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning identity controls with AI adoption and contractor risk, it is worth exploring.

This post draws on content published by ConductorOne: U.S. vs. U.K. Perspectives on AI and Security. Read the original.