TL;DR: AI in Identity Security Demands a New Playbook finds that only 44% of organizations feel fully equipped to support secure AI, while 61% have full visibility into machine identities and 48% govern AI entities, according to Delinea's survey of 1,700 IT decision-makers. The governance gap is now structural: security teams are trying to control AI with identity models that were not built for agentic behaviour.
NHIMG editorial — based on content published by Delinea: AI in Identity Security Demands a New Playbook
By the numbers:
- 44% of organizations say their security architecture is fully equipped to support secure AI.
- 61% have full visibility into all machine identities to monitor for compromise.
- 48% have identity governance for AI entities.
Questions worth separating out
Q: How should security teams govern AI identities that can act at runtime?
A: Security teams should treat runtime AI behaviour as an identity governance issue, not only an application risk.
Q: Why do partial machine identity inventories create more risk for AI programmes?
A: Partial inventories leave unknown identities outside ownership, access review, and monitoring.
Q: What do security teams get wrong about shadow AI?
A: They often treat shadow AI as a policy problem instead of a lifecycle problem.
Practitioner guidance
- Inventory AI identities continuously Build discovery processes that identify sanctioned and unsanctioned AI entities across cloud, SaaS, and internal automation layers.
- Replace static roles with task-scoped access Limit AI entities to the smallest set of actions, tools, and data paths needed for a specific workflow.
- Tie AI governance to lifecycle controls Apply joiner-mover-leaver logic to AI systems, including approval, review, suspension, and retirement.
What's in the full report
Delinea's full report covers the operational detail this post intentionally leaves for the source:
- The survey methodology and respondent breakdown across more than 1,700 IT decision-makers.
- The full set of AI identity security findings by capability area, including machine visibility and AI governance.
- The report's breakdown of shadow AI frequency and the most common AI identity security concerns.
- The research team's recommended actions for organisations building secure AI controls.
👉 Read Delinea's report on AI identity security and secure AI governance gaps →
AI identity governance gaps: are your controls keeping up?
Explore further
AI identity governance is now a control-plane problem, not an edge case. The report shows that AI has moved from pilot status into operational environments faster than governance has caught up. Once 94% of companies are using or piloting AI in IT operations, the question is no longer whether AI exists in the estate. The real issue is whether identity teams can see, classify, and govern the machine layer fast enough to keep it bounded. Practitioners should treat AI governance as part of core identity architecture, not an overlay.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: When should organisations move beyond role-based controls for AI systems?
A: They should move beyond role-based controls when an AI system can choose actions, tools, or timing at runtime. In that case, static entitlements can become too broad for one task and too limited for another. Task-scoped, context-aware access is more defensible because it matches the way the system actually behaves.
👉 Read our full editorial: AI identity governance gaps leave 56% facing shadow AI monthly