AI identities and insider risk: are your controls keeping up?

TL;DR: AI systems are moving from scripted automation toward independent decision-making, and SPHERE argues that this creates a new inside-threat problem where AI identities can act, reason, and adapt without direct human oversight. That shift breaks traditional governance assumptions about visibility, accountability, and lifecycle control.

NHIMG editorial — based on content published by SPHERE: AI Identities: The Silent Inside Threat

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

Questions worth separating out

Q: How should organisations govern AI identities that can act without human approval?

A: Treat them as governed identities with explicit ownership, bounded authority, and continuous auditability.

Q: What breaks when AI identities are managed like normal automation?

A: The main failure is that automation assumes a fixed script, while AI identities can change action paths at runtime.

Q: Why do AI identities complicate existing IAM and IGA models?

A: They complicate them because they introduce a subject that can be both authenticated and adaptive.

Practitioner guidance

• Define AI identity ownership before production deployment Assign a named business owner and a technical custodian for every AI identity, with explicit approval authority for scope changes, suspension, and retirement.
• Instrument decision-path logging for AI identity activity Capture tool selection, context use, action sequencing, and downstream system effects so audits can reconstruct how the identity behaved, not just that it authenticated successfully.
• Separate human approvals from autonomous execution paths Where an AI identity can act without step-by-step approval, redesign the workflow so the approval boundary is visible in policy, logs, and review artefacts rather than implied by the original design.

What's in the full article

SPHERE's full article covers the operational detail this post intentionally leaves for the source:

• The article expands on the specific governance concerns behind AI identities acting as insider threats.
• It also discusses how enterprises are losing visibility over AI identities in practice, not just in principle.
• The source provides SPHERE's framing of transparency and lifecycle management for AI-driven identity behaviour.
• If you are mapping the issue into an internal programme, the article offers the original context behind the claim.

👉 Read SPHERE's analysis of AI identities as an inside threat →

AI identities and insider risk: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →