Notifications
Clear all
Topic starter
07/06/2026 9:03 pm
TL;DR: AI is compressing code review, deployment, and agent tool use into microseconds, exposing a mismatch between human-paced security controls and machine-speed operations, according to WorkOS’s panel discussion from Enterprise Ready Conference 2025. The result is a governance problem as much as a technical one: identity, authorization, and audit patterns must be rethought for AI-enabled execution.
NHIMG editorial — based on content published by WorkOS: Security in the Age of AI: Old Problems Meet New Risks
Questions worth separating out
Q: How should security teams govern AI agents that can act at machine speed?
A: They should treat the agent as an identity whose actions can outrun human review.
Q: Why do AI agents complicate least privilege in practice?
A: Because least privilege is usually defined at provisioning time, while agent behaviour changes at runtime.
Q: What do security teams get wrong about MCP-based AI integrations?
A: They often focus on whether a tool is connected and miss the more important question of which tool paths are possible.
Practitioner guidance
- Map human-speed controls that no longer fit Identify where code review, change approval, ticketing, and manual sign-off assume a delay between decision and execution.
- Govern MCP tool chains, not just tool inventories Document allowed sequences such as read, transform, and write, then block unsafe transitions like mailbox read to external posting without an explicit policy gate.
- Define machine-readable guardrails before verification Move agent policy into structured, testable language so that monitoring and verification have something precise to check.
What's in the full article
WorkOS's full article covers the panel discussion detail this post intentionally leaves for the source:
- Full remarks on AI for security versus security for AI, including the panel's practical distinctions between detection, review, and guardrail design.
- The discussion of MCP tool-chain controls, including selective tool gating and contextual restrictions on downstream actions.
- The panel's examples of verification approaches such as multi-model consensus, TEEs, and zero-knowledge proofs, which are only summarised here.
- The closing advice for first-time security hires on building internal relationships and operational visibility in AI-heavy environments.
👉 Read WorkOS's panel analysis of AI security and machine-speed identity risk →
AI security at machine speed: are IAM controls keeping up?
Explore further
08/06/2026 8:49 am
Machine-speed execution breaks the review model that most identity programmes still depend on. Security controls such as code review, change approval, and exception handling were built around human latency. When an AI system can create, review, and deploy actions in microseconds, those controls stop being checkpoints and become after-the-fact evidence. The implication is that security programmes must stop assuming a reviewable pause exists in the lifecycle of action.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Should organisations keep human approval gates for high-risk AI actions?
A: Yes, when the action is irreversible, externally visible, or capable of changing production state. Human approval should be reserved for the highest-impact decisions, while lower-risk actions can be governed by pre-approved policy. That balance preserves speed without turning automation into uncontrolled execution.
👉 Read our full editorial: AI security and agent speed are reshaping identity controls
