AI security at machine speed: are IAM controls keeping up?

TL;DR: AI is compressing code review, deployment, and agent tool use into microseconds, exposing a mismatch between human-paced security controls and machine-speed operations, according to WorkOS’s panel discussion from Enterprise Ready Conference 2025. The result is a governance problem as much as a technical one: identity, authorization, and audit patterns must be rethought for AI-enabled execution.

NHIMG editorial — based on content published by WorkOS: Security in the Age of AI: Old Problems Meet New Risks

Questions worth separating out

Q: How should security teams govern AI agents that can act at machine speed?

A: They should treat the agent as an identity whose actions can outrun human review.

Q: Why do AI agents complicate least privilege in practice?

A: Because least privilege is usually defined at provisioning time, while agent behaviour changes at runtime.

Q: What do security teams get wrong about MCP-based AI integrations?

A: They often focus on whether a tool is connected and miss the more important question of which tool paths are possible.

Practitioner guidance

• Map human-speed controls that no longer fit Identify where code review, change approval, ticketing, and manual sign-off assume a delay between decision and execution.
• Govern MCP tool chains, not just tool inventories Document allowed sequences such as read, transform, and write, then block unsafe transitions like mailbox read to external posting without an explicit policy gate.
• Define machine-readable guardrails before verification Move agent policy into structured, testable language so that monitoring and verification have something precise to check.

What's in the full article

WorkOS's full article covers the panel discussion detail this post intentionally leaves for the source:

• Full remarks on AI for security versus security for AI, including the panel's practical distinctions between detection, review, and guardrail design.
• The discussion of MCP tool-chain controls, including selective tool gating and contextual restrictions on downstream actions.
• The panel's examples of verification approaches such as multi-model consensus, TEEs, and zero-knowledge proofs, which are only summarised here.
• The closing advice for first-time security hires on building internal relationships and operational visibility in AI-heavy environments.

👉 Read WorkOS's panel analysis of AI security and machine-speed identity risk →

AI security at machine speed: are IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →