Open-weight proliferation is a governance problem, not just a model-distribution problem. The article shows that frontier cyber capability does not stay confined to controlled-release environments for long, which means the real issue is the speed at which offensive techniques become broadly usable. That turns AI capability diffusion into an identity and access governance concern, because once the capability is available, access paths and credentials become the operational gateway. Practitioners should treat proliferation as a structural risk to access control assumptions.
A few things that frame the scale:
- NHIs now outnumber human identities by 144:1 in enterprise environments, a 44% increase year-over-year driven by AI agents, CI/CD automation, and third-party integrations, according to The NHI and Secrets Risk Report.
- Nearly half of all exposed secrets reside outside code repositories, in CI/CD logs, collaboration tools, and messaging platforms, according to the same report.
A question worth separating out:
Q: How can teams tell whether zero trust is actually helping against AI-driven attacks?
A: Look for continuous verification across identities, not just successful logins. If authentication is secure but privilege use, lateral movement, and cross-system access remain opaque, then zero trust is incomplete in practice and AI-assisted misuse can still blend into normal traffic.
👉 Read our full editorial: Open-weight AI proliferation is outpacing cyber defence controls
Open-weight proliferation is a governance problem, not just a model-distribution problem. The article shows that frontier cyber capability does not stay confined to controlled-release environments for long, which means the real issue is the speed at which offensive techniques become broadly usable. That turns AI capability diffusion into an identity and access governance concern, because once the capability is available, access paths and credentials become the operational gateway. Practitioners should treat proliferation as a structural risk to access control assumptions.
A few things that frame the scale:
- NHIs now outnumber human identities by 144:1 in enterprise environments, a 44% increase year-over-year driven by AI agents, CI/CD automation, and third-party integrations, according to The NHI and Secrets Risk Report.
- Nearly half of all exposed secrets reside outside code repositories, in CI/CD logs, collaboration tools, and messaging platforms, according to the same report.
A question worth separating out:
Q: How can teams tell whether zero trust is actually helping against AI-driven attacks?
A: Look for continuous verification across identities, not just successful logins. If authentication is secure but privilege use, lateral movement, and cross-system access remain opaque, then zero trust is incomplete in practice and AI-assisted misuse can still blend into normal traffic.
👉 Read our full editorial: Open-weight AI proliferation is outpacing cyber defence controls