TL;DR: AI is speeding up phishing, reconnaissance, and lateral movement, while defenders are being pushed toward concurrent, context-aware response models that can act in minutes rather than hours, according to Illumio. The security lesson is that observability, workflow timing, and control context now matter as much as detection volume.
NHIMG editorial — based on content published by Illumio: The CISO’s Playbook on why AI defence starts with context, not hype
Questions worth separating out
Q: How should security teams govern AI agents that can access enterprise systems?
A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped privileges, and continuous monitoring.
Q: Why do AI-driven attacks change the way security teams should think about containment?
A: AI changes the speed and scale of attack steps, not the underlying tactics.
Q: What do organisations get wrong about AI observability?
A: They often confuse technical telemetry with governance evidence.
Practitioner guidance
- Map AI data, model, and workflow context Inventory what data enters each model, who or what can access it, and which downstream actions the output can trigger.
- Move response playbooks to concurrent execution Split containment, validation, and investigation into parallel steps where the risk allows it.
- Classify AI agents as governed identities Add AI agents to identity inventories, assign ownership, and include them in lifecycle processes such as access review and offboarding.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- The IBM executive interview and the specific examples used to explain AI-assisted attack speed and defensive concurrency.
- The product and platform references behind graph-based observability and how those ideas are positioned in the original article.
- The full discussion of AI agents in SOC workflows, including the 30 to 40 percent operational capacity claim.
- The article's own examples of model testing, prompt injection, and containment strategy in context.
👉 Read Illumio's analysis of AI defence, context, and concurrent response →
AI defense needs context, not hype. What does that mean for teams?
Explore further
Context is now an identity control, not just an observability feature: AI defence fails when teams can see activity but cannot tie it to data provenance, model behaviour, and actor identity in one control plane. That is why context matters across NHI, human access, and automated workflows. Practitioners should treat context as the prerequisite for any meaningful policy decision.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which leaves a behaviour gap that AI-assisted development can amplify.
A question worth separating out:
Q: Who is accountable when an AI system makes a harmful decision?
A: Accountability should follow the identity chain that authorized, configured, or triggered the action, including the human owner, the platform team, and any delegated agent or tool account. If the organisation cannot name that chain, the governance model is too weak for regulated AI use.
👉 Read our full editorial: AI defense needs context, not hype, in the age of faster attacks