Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI identities and insider risk: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI systems are moving from scripted automation toward independent decision-making, and SPHERE argues that this creates a new inside-threat problem where AI identities can act, reason, and adapt without direct human oversight. That shift breaks traditional governance assumptions about visibility, accountability, and lifecycle control.

NHIMG editorial — based on content published by SPHERE: AI Identities: The Silent Inside Threat

By the numbers:

Questions worth separating out

Q: How should organisations govern AI identities that can act without human approval?

A: Treat them as governed identities with explicit ownership, bounded authority, and continuous auditability.

Q: What breaks when AI identities are managed like normal automation?

A: The main failure is that automation assumes a fixed script, while AI identities can change action paths at runtime.

Q: Why do AI identities complicate existing IAM and IGA models?

A: They complicate them because they introduce a subject that can be both authenticated and adaptive.

Practitioner guidance

  • Define AI identity ownership before production deployment Assign a named business owner and a technical custodian for every AI identity, with explicit approval authority for scope changes, suspension, and retirement.
  • Instrument decision-path logging for AI identity activity Capture tool selection, context use, action sequencing, and downstream system effects so audits can reconstruct how the identity behaved, not just that it authenticated successfully.
  • Separate human approvals from autonomous execution paths Where an AI identity can act without step-by-step approval, redesign the workflow so the approval boundary is visible in policy, logs, and review artefacts rather than implied by the original design.

What's in the full article

SPHERE's full article covers the operational detail this post intentionally leaves for the source:

  • The article expands on the specific governance concerns behind AI identities acting as insider threats.
  • It also discusses how enterprises are losing visibility over AI identities in practice, not just in principle.
  • The source provides SPHERE's framing of transparency and lifecycle management for AI-driven identity behaviour.
  • If you are mapping the issue into an internal programme, the article offers the original context behind the claim.

👉 Read SPHERE's analysis of AI identities as an inside threat →

AI identities and insider risk: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI identities are becoming an inside-threat class, not just an automation layer. The article is right to separate independence from simple scripting, because a system that can act, reason, and adapt inside the enterprise should not be governed like a fixed workflow. That shifts the problem from process efficiency to identity risk, where the question becomes who can constrain behaviour after runtime decisions begin. Practitioners should treat AI identities as governed actors, not benign infrastructure.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when an AI identity causes an internal security incident?

A: Accountability should rest with the named business owner and the control owner who approved its access, not with the model itself. Organisations need a clear chain of responsibility that covers provisioning, monitoring, and retirement, otherwise an AI identity can create damage without anyone being able to answer for its use.

👉 Read our full editorial: AI identities are becoming inside threats in enterprise governance



   
ReplyQuote
Share: