TL;DR: AI transformation often stalls because organisations treat it as a technology rollout instead of a governed operating change, despite wide adoption of AI tools and agents, according to WitnessAI. The deeper failure is assumption collapse: accountability, access review, and lifecycle controls were built for stable human or NHI behaviour, not for systems that change workflows, data access, and decision paths at runtime.
NHIMG editorial — based on content published by WitnessAI: AI transformation, governance, and the path to sustainable adoption
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams govern AI transformation across identity and access programmes?
A: Start by treating AI use cases as governed identities rather than isolated tools.
Q: When does AI transformation become an IAM problem instead of a business programme?
A: It becomes an IAM problem whenever AI systems can access data, call tools, or trigger actions that affect business outcomes.
Q: What do organisations get wrong about AI governance and lifecycle controls?
A: They often assume human-style governance cycles can manage machine-paced behaviour.
Practitioner guidance
- Define AI ownership and decision rights Assign a named business and security owner for every AI use case, including the identity that can initiate actions, the data it may access, and the approval path for escalation.
- Map AI access to governed identity assets Inventory the secrets, service accounts, tokens, and delegated permissions used by AI systems, then bind them to lifecycle controls and periodic access review.
- Constrain runtime tool use for AI systems Enforce policy checks at the point of action so AI systems can only use approved tools, data sources, and write paths during execution.
What's in the full article
WitnessAI's full article covers the operational detail this post intentionally leaves for the source:
- A structured breakdown of AI transformation stages and the organisational dependencies that make them succeed or stall.
- More detail on governance foundations, data readiness, and change management across business units.
- Practical implementation guidance for integrating AI into workflows while maintaining accountability.
- The source article’s discussion of business outcomes and operating-model change, which this post summarises at a governance level.
👉 Read WitnessAI's analysis of AI transformation, governance, and operational change →
AI transformation and governance gaps: what IAM teams are missing?
Explore further
AI transformation becomes an identity governance problem the moment AI changes who can act, what they can reach, and who owns the result. The article treats governance as one element of transformation, but the security reality is sharper: once AI is embedded in workflows, identity and access control define whether the transformation is controllable at all. That means IAM, NHI, and lifecycle processes are no longer supporting functions. Practitioners should treat identity governance as a core transformation dependency.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: How do teams measure whether AI transformation is actually under control?
A: Look beyond adoption and model accuracy. Measure who owns each AI system, what data it can reach, which actions it can trigger, and how quickly access can be revoked or constrained when behaviour changes. If those answers are unclear, the programme is scaling faster than governance can support.
👉 Read our full editorial: AI transformation exposes governance gaps across human and agentic systems