AI adoption, sandbox governance, and the identity gap teams are missing

TL;DR: Platform leaders at KubeCon North America described a three-lane model for AI adoption that separates low-risk experiments, managed internal apps, and critical production systems, while highlighting how procurement, automation, and shared platform controls are becoming the main blockers to safe scale, according to Cerbos. The real issue is not AI novelty but identity and authorization models that must work for non-human access without collapsing developer velocity.

NHIMG editorial — based on content published by Cerbos: a platform engineering roundtable recap on AI adoption, governance, and the three-lane model

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams govern AI experimentation without slowing delivery?

A: Use lane-based governance.

Q: Why do AI agents create different identity risks than ordinary applications?

A: AI agents act as non-human identities that can make decisions and execute work at machine speed, so overbroad access becomes dangerous very quickly.

Q: What do platform teams get wrong when they leave authorization inside each app?

A: They create fragmented policy enforcement, inconsistent access decisions, and repeated engineering work across every AI project.

Practitioner guidance

• Define lane-specific control baselines Classify AI use cases into fast, managed, or critical lanes before build work starts.
• Externalize authorization into shared platform services Move access enforcement out of individual applications and into reusable platform layers so policy changes propagate consistently.
• Scope AI access as if every system were a non-human identity Review whether AI tools have broader access than the task requires, especially when they touch developer portals, knowledge systems, or infrastructure automation.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• How the three-lane model is applied in real platform engineering environments
• Examples of how teams package complete working environments instead of reference docs
• The practical mechanics of shift down for authentication, authorization, and compliance
• How platform teams are standardizing AI tool integration patterns across internal systems

👉 Read Cerbos' analysis of AI governance, platform engineering, and the three-lane model →

AI adoption, sandbox governance, and the identity gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →