Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI security maturity: what breaks when policy outpaces visibility?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: The 2026 Verizon DBIR and Push data show AI adoption is already broad, with 45% of employees using AI on corporate devices, 67% using personal accounts, and 38% of file uploads coming from shadow accounts. SANS’ maturity model argues the real barrier is not awareness but the lack of inventory, telemetry, and controls needed to move from policy to operational governance.

NHIMG editorial — based on content published by Push Security: Most organizations know they have an AI security problem. A new SANS framework shows why so few are making progress

By the numbers:

Questions worth separating out

Q: How should security teams implement AI governance without pushing usage underground?

A: Start with automated discovery, not a blanket ban.

Q: Why do AI tools create problems for IAM and identity governance programmes?

A: AI tools expand the identity surface into browser sessions, personal accounts, and consented integrations that are often outside normal review cycles.

Q: What breaks when organisations block AI use without visibility?

A: A block-only strategy usually relocates usage into shadow accounts and unmanaged tools instead of eliminating it.

Practitioner guidance

  • Build automated AI inventory Discover AI apps, browser extensions, and OAuth integrations continuously, including usage through personal accounts and unmanaged sessions.
  • Classify AI activity by data sensitivity Differentiate benign usage from high-risk behaviour by looking at source code, structured data, and document movement into AI tools.
  • Instrument browser-layer controls Collect telemetry from the browser where AI prompts, file uploads, phishing lures, OAuth consent, and extension activity all converge.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

  • The full stage-by-stage SANS maturity model with the specific expectations for Stage 1 through Stage 5.
  • The browser-layer control approach for discovering AI apps, extensions, OAuth integrations, and shadow account usage.
  • The practical distinction between governance controls and protective controls across AI risk scenarios.
  • The article’s implementation-oriented examples for moving from blocking to graduated response modes.

👉 Read Push Security's analysis of the SANS AI security maturity model →

AI security maturity: what breaks when policy outpaces visibility?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI security maturity is an identity governance problem before it is an AI tooling problem. The article is right to focus on the chasm between policy and capability, because the missing control plane is not a memo. It is inventory, classification, and enforcement across the browser, OAuth, and shadow account layers. Practitioners should treat AI usage as an identity surface, not a software feature set.

A few things that frame the scale:

  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
  • 75% of organisations express strong confidence in their secrets management capabilities, even though the average estimated time to remediate a leaked secret is 27 days.

A question worth separating out:

Q: Who should own AI security maturity inside the enterprise?

A: Ownership should sit across IAM, security operations, data governance, and risk, with clear accountability for discovery, classification, and response. AI security is not just an endpoint or policy issue. It is an identity and data governance problem that needs shared operating ownership.

👉 Read our full editorial: AI security maturity stalls where awareness outpaces control



   
ReplyQuote
Share: