Notifications

Clear all

AI oversight gap and NHI access control: what teams should do

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 4368

Topic starter 10/06/2026 11:45 pm

TL;DR: IBM’s Cost of a Data Breach Report 2025 says the global average breach cost fell to $4.44M, but 97% of organisations that suffered an AI-related breach lacked proper AI access controls and shadow AI added $670K per incident. The real problem is not AI adoption itself but the identity and authorisation model behind it.

NHIMG editorial — based on content published by Pomerium: AI Is Your Biggest Security Risk

By the numbers:

97% of organizations that experienced an AI-related breach lacked proper AI access controls.
Shadow AI now contributes an additional $670K per breach.
the global average cost of a data breach has declined, dropping to $4.44M.

Questions worth separating out

Q: How should security teams handle AI systems that need access to internal data and tools?

A: Security teams should treat AI systems like high-risk non-human identities and grant only request-scoped access.

Q: Why do AI systems increase the risk of credential misuse?

A: AI systems increase credential risk because they can reuse long-lived secrets across multiple tools and services at machine speed.

Q: What do organisations get wrong about shadow AI governance?

A: The most common mistake is treating shadow AI as a usage issue rather than an identity issue.

Practitioner guidance

Inventory every AI-connected identity path Map copilots, plugins, agents, internal APIs, and model endpoints to the credentials and entitlements they use.
Replace long-lived secrets with request-scoped access Eliminate embedded API keys and shared tokens where AI systems touch internal data or tools.
Apply continuous authorization to AI workloads Reassess access before each tool call or data request rather than trusting the original login event.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

The article’s specific interpretation of IBM’s Cost of a Data Breach findings for AI-heavy environments
How Pomerium maps per-request authorization to humans, machines, and agentic access paths
The product-level explanation of short-lived access, Zero Trust policy enforcement, and internal API protection
The source article’s framing of AI as a breach-cost multiplier rather than a standalone application category

👉 Read Pomerium's analysis of IBM's AI breach risk findings →

AI oversight gap and NHI access control: what teams should do?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

5,601 Topics

8,418 Posts

10 Online

135 Members

Latest Post: KYB in 2026: what compliance teams need to change now Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies