Why autonomous AI changes identity risk and attack speed

At a glance

What this is: This on-demand RSA Security webinar argues that autonomous AI changes cyber risk by compressing attack speed, scope, and decision-making into machine-paced incidents.

Why it matters: It matters because identity, governance, and risk programmes must account for AI systems that can act beyond human review cycles, which affects NHI, autonomous, and human access controls alike.

👉 Watch RSA Security's on-demand webinar on why autonomous AI changes cyber risk

Context

Agentic AI changes the security problem because the actor can decide, act, and adapt without waiting for human approval. That breaks assumptions built into many identity and risk programmes, especially where access review, containment, and escalation paths assume human-paced behaviour. For identity teams, the question is no longer only who has access, but whether the actor can change what it does with that access mid-session.

RSA Security frames the issue as a shift from human-led attacks to autonomous systems that can compress multiple attack stages into a single faster incident. That matters for governance because the same phishing or identity compromise techniques become harder to detect, harder to contain, and more difficult to assign accountability when the runtime actor is an AI system rather than a person.

Key questions

Q: How should security teams govern autonomous AI systems that can act without approval?

A: They should govern autonomous AI systems as runtime identities, not as static applications. That means defining who owns the actor, what tools it may reach, what actions it may initiate, and what conditions trigger containment. The goal is to bound behaviour at execution time, because periodic review alone cannot capture machine-paced decision-making.

Q: Why do autonomous AI systems change the meaning of least privilege?

A: Autonomous systems change least privilege because intended use is no longer fully knowable at provisioning time. A system that can adapt mid-session may combine tools and actions in ways that were not anticipated when access was granted. Security teams therefore need to treat privilege as a runtime boundary, not just a pre-approved entitlement set.

Q: What breaks when access review is applied to autonomous AI agents?

A: Access review breaks when the actor can acquire and use privilege faster than the review cycle can observe it. The review may certify a state that no longer exists by the time it is checked, or miss the risky action entirely because no stable human operator is present. That makes the evidence model itself incomplete.

Q: Who is accountable when an autonomous AI system causes security harm?

A: Accountability should sit with the organisation that allowed the system to act autonomously, not with the model itself. Practically, that means the business owner, security owner, and control owner must all be named before deployment, with clear escalation rules for tool access, containment, and incident reporting.

Background and context

Why autonomous attack speed changes identity governance

Autonomous systems change the operational meaning of access because the actor can choose actions, tools, and timing inside a single execution window. In traditional identity models, risk is managed through provisioning, review, and revocation because access persists long enough to observe and govern. When a system plans and adapts at machine speed, the attack path can move from initial access to escalation before human monitoring or approval can intervene. That makes identity governance less about periodic checks and more about whether the runtime behaviour itself is bounded.

Practical implication: teams should test whether their access controls still hold when the actor can change intent and execution sequence during one session.

How phishing and identity compromise become more dangerous with AI agents

Phishing and identity compromise are not new, but autonomous execution changes the blast radius. An AI system can use stolen credentials, follow up on reconnaissance, pivot across tools, and continue probing without fatigue or delay. That removes the natural pauses that human attackers create and reduces the time defenders have to detect anomalies. From an identity perspective, the risk is not only credential theft but credential use at scale, with the attack chain remaining active long after the first compromised account is discovered.

Practical implication: monitor for post-compromise automation patterns, not just credential theft, because automated follow-through is what accelerates impact.

Board-level blind spots in autonomous AI governance

Board-level blind spots emerge when leaders treat autonomy as a feature rather than an identity and risk classification problem. Once an AI system can independently decide what to do next, governance has to account for accountability, scope drift, and control failure in ways that standard application oversight does not cover. This is where existing models become incomplete: they can describe the system, but not necessarily bound its behaviour. The result is a governance gap between policy language and runtime action.

Practical implication: require explicit ownership for autonomous systems and review whether risk reporting actually captures runtime behaviour, not just approved deployment status.

NHI Mgmt Group analysis

Autonomous AI turns identity governance into a runtime control problem. Current identity models assume access can be granted, observed, and certified over time. That assumption fails when the actor can decide, select tools, and execute within one machine-paced session. The implication is that governance must stop treating autonomy as an application attribute and start treating it as an identity behaviour boundary.

Least privilege is designed for known intent, not adaptive intent. Traditional privilege models presuppose that the expected use of access is knowable at provisioning time. Autonomous systems invalidate that assumption because intent can shift during execution as the actor plans, learns, and re-targets. That is assumption collapse, not merely a control gap, and practitioners have to rethink how authorisation is defined for runtime decision-making.

Identity review cadences do not map cleanly to autonomous execution. Access review, recertification, and offboarding all depend on privilege persisting long enough to be observed and acted on. When the actor can acquire, use, and discard access in one session, the governance window narrows to the point where review artefacts may never exist. Practitioners need to recognise that the lifecycle process itself may no longer capture the real risk event.

AI governance and NHI governance are converging at the same failure point. Autonomous systems are still identities in operational terms, even when they behave unlike service accounts or human users. That means NIST AI RMF style governance and OWASP NHI-style controls need to meet at runtime accountability, tool access, and bounded execution. Security teams should treat the category boundary as administrative, not protective.

Runtime autonomy boundary: The central failure mode here is that organisations assume an AI system can be governed after deployment using static policy and periodic review. That breaks when the actor can change behaviour mid-session, because the control plane does not see a stable access pattern. Practitioners should therefore treat runtime autonomy as the point where existing identity assumptions stop holding.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap strengthens the case for reading OWASP Agentic Applications Top 10 alongside the report, because runtime control and auditability now fail together.

What this signals

Runtime autonomy is becoming the control boundary that identity teams need to model explicitly. When a system can choose actions at machine speed, the gap is no longer between policy and implementation, but between static access and adaptive execution. Teams should expect more incidents where the permission set looks acceptable while the runtime behaviour is not, which is why OWASP NHI Top 10 style thinking is becoming operationally relevant.

Ephemeral access without behavioural containment creates an identity blast radius. The security problem is not just whether an AI system has credentials, but whether those credentials can be chained across tools before anyone can interrupt the session. Our research shows that 80% of organisations already see AI agents act beyond intended scope, which means governance now has to follow runtime behaviour, not just approved entitlements.

Autonomous systems will force IAM, PAM, and AI governance teams to share the same operating model. The organisations that move first will be the ones that treat ownership, runtime monitoring, and evidence capture as one programme rather than three separate ones. That is the practical direction of travel for identity security, whether the actor is human, machine, or autonomous.

For practitioners

• Map autonomous behaviour to identity control points Identify where AI systems can select actions, tools, or execution timing without human approval, then mark those points as governance boundaries in your IAM and risk model. Use the runtime path, not the deployment diagram, as the basis for review.
• Review assumptions behind access certification Check whether your access review and recertification process assumes access remains stable long enough to be observed. If it does, document where autonomous systems can bypass that assumption and where evidence would never be generated.
• Tie autonomous systems to explicit ownership Assign a named business and technical owner for every autonomous system that can initiate actions, so accountability does not disappear into the model or orchestration layer. Include escalation criteria for tool access changes and anomalous delegation.
• Rework containment for machine-speed incidents Update incident playbooks to look for rapid sequence changes, not just alerts on first compromise. Prioritise controls that can interrupt tool use, revoke credentials, or isolate the actor before the attack chain completes.

Key takeaways

• Autonomous AI changes the security problem because access can now be exercised, adapted, and abused at machine speed before traditional review cycles can respond.
• RSA Security frames agentic AI as a step change in risk, and NHIMG research shows that 80% of organisations already see AI agents acting beyond intended scope.
• Identity teams should rework governance around runtime behaviour, explicit ownership, and containment that can interrupt autonomous execution before the attack chain completes.

Key terms

• Autonomous AI identity: An autonomous AI identity is a non-human actor that can decide, select tools, and execute actions without human approval at the moment of action. Unlike ordinary automation, it behaves like an identity with runtime discretion, which makes authorisation, accountability, and containment harder to define using static access models.
• Runtime autonomy: Runtime autonomy is the ability of a system to change actions or execution timing while it is operating, rather than following a fixed script. In identity terms, it means security controls must govern behaviour as it happens, because a pre-approved permission set may not describe what the actor actually does.
• Identity blast radius: Identity blast radius is the maximum damage that can occur when an identity is compromised or misused. For autonomous systems, the blast radius can expand quickly because the actor can chain decisions and tool use at machine speed, making containment, attribution, and recovery more difficult than in human-paced scenarios.
• Assumption collapse: Assumption collapse is the point where a governance model fails because it was built on conditions that are no longer true. In autonomous AI, it often appears when controls assume stable access, predictable intent, or human-paced review, even though the actor can adapt and act independently during execution.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Why Autonomous AI Changes the Risk Landscape. Read the original.