AI trust across agents and content: what IAM teams should see

TL;DR: AI trust is eroding as shadow AI appears in more than 90% of organisations, deepfake files rise from about 500,000 in 2023 to over 8 million in 2025, and only 40% of consumers trust AI as an information source, according to DigiCert and Business Insider. Trust now has to be proven through identity, integrity, and auditability, not assumed.

NHIMG editorial — based on content published by DigiCert: The degradation of trust in the age of AI

By the numbers:

• It's now present in more than 90% of organizations as employees increasingly rely on unapproved AI tools.
• Just 40% of individual consumers consider AI a trustworthy source of information.
• A staggering 70% don't trust companies to use AI responsibly with their data.

Questions worth separating out

Q: How should security teams govern shadow AI without blocking business use?

A: Start by identifying where shadow AI already exists, then classify the data, identities, and business processes it touches.

Q: Why do AI agents create governance problems for IAM teams?

A: AI agents can act, select tasks, and process data with limited supervision, so standard access records do not always capture who initiated the action or why.

Q: How can organisations prove content authenticity in an AI-heavy environment?

A: Use cryptographic provenance controls that preserve origin and modification history from creation through distribution.

Practitioner guidance

• Inventory unapproved AI usage paths Map where employees are already using shadow AI, then tie each tool to the data types, systems, and identities involved.
• Bind AI agents to cryptographic identity Require each agent that can act on business systems to have a clear identity, scoped authorization, and an audit trail that preserves responsibility across the full action path.
• Verify provenance for high-risk content Adopt authenticity checks for customer communications, evidence records, and brand-sensitive media so you can validate source and modification history before distribution.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• How DigiCert frames cryptographic identity for AI agents and where it fits in lifecycle governance
• The article's breakdown of model integrity, provenance, and secure execution controls for AI systems
• Its C2PA discussion and the specific metadata questions practitioners should ask about authenticity
• The vendor's explanation of how identity, integrity, and accountability are positioned across agents, models, and content

👉 Read DigiCert's analysis of trust degradation across AI agents, models, and content →

AI trust across agents and content: what IAM teams should see?

Explore further

View Full Forum →  |  NHI Foundation Course →