Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI oversight gap and NHI access control: what teams should do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: IBM’s Cost of a Data Breach Report 2025 says the global average breach cost fell to $4.44M, but 97% of organisations that suffered an AI-related breach lacked proper AI access controls and shadow AI added $670K per incident. The real problem is not AI adoption itself but the identity and authorisation model behind it.

NHIMG editorial — based on content published by Pomerium: AI Is Your Biggest Security Risk

By the numbers:

Questions worth separating out

Q: How should security teams handle AI systems that need access to internal data and tools?

A: Security teams should treat AI systems like high-risk non-human identities and grant only request-scoped access.

Q: Why do AI systems increase the risk of credential misuse?

A: AI systems increase credential risk because they can reuse long-lived secrets across multiple tools and services at machine speed.

Q: What do organisations get wrong about shadow AI governance?

A: The most common mistake is treating shadow AI as a usage issue rather than an identity issue.

Practitioner guidance

  • Inventory every AI-connected identity path Map copilots, plugins, agents, internal APIs, and model endpoints to the credentials and entitlements they use.
  • Replace long-lived secrets with request-scoped access Eliminate embedded API keys and shared tokens where AI systems touch internal data or tools.
  • Apply continuous authorization to AI workloads Reassess access before each tool call or data request rather than trusting the original login event.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • The article’s specific interpretation of IBM’s Cost of a Data Breach findings for AI-heavy environments
  • How Pomerium maps per-request authorization to humans, machines, and agentic access paths
  • The product-level explanation of short-lived access, Zero Trust policy enforcement, and internal API protection
  • The source article’s framing of AI as a breach-cost multiplier rather than a standalone application category

👉 Read Pomerium's analysis of IBM's AI breach risk findings →

AI oversight gap and NHI access control: what teams should do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Identity controls, not model quality, are now the decisive AI security layer. The article is right to frame AI as a breach-cost issue, but the underlying mechanism is identity governance failure. When AI systems can authenticate, call tools, and access internal resources without explicit control boundaries, breach cost falls for defenders only if access is already tightly constrained. Practitioners should treat AI governance as an access-control problem first, and a model-risk problem second.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: How do we know if AI access controls are actually working?

A: You know they are working when access decisions are granular, session-aware, and visible in logs that show exactly what the AI system requested and what it was permitted to do. If broad credentials still open multiple internal systems without per-request checks, the control is not effective.

👉 Read our full editorial: AI access controls lag as breach costs fall in IBM data



   
ReplyQuote
Share: