Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Hybrid identities: what IAM teams are missing between AI and users


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI agents now hold credentials and act with delegated human authority, so a phished employee and a hijacked agent can produce the same attack shape inside the enterprise, according to Abnormal AI. The governance assumption that human identity and machine identity can be managed in separate lanes is collapsing, because the real exposure sits in the hybrid identity gap.

NHIMG editorial — based on content published by Abnormal AI: Key Insights on AI agents, delegated authority, and the hybrid identity gap

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that act with delegated human authority?

A: They should treat delegated AI agents as hybrid identities and govern the full path from human intent to machine execution.

Q: Why do hybrid identities create blind spots in existing IAM programmes?

A: Hybrid identities sit between IAM and AI security ownership models, so each team may assume the other is watching the same actor.

Q: What do security teams get wrong about detecting abuse in AI-enabled environments?

A: They often try to separate human compromise from machine compromise, even when the attack shape is the same.

Practitioner guidance

  • Map hybrid identities explicitly Inventory every AI application or agent that can act with delegated human authority, then record which human account, service account, token, or workflow it depends on.
  • Baseline behaviour per identity class Build behavioural profiles for both human and machine identities, then compare action sequence, timing, destination, and data access against those baselines.
  • Assign one owner to the delegated authority path Treat every delegated authority chain as a governed asset, not just a permission.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

  • The product and engineering framing behind identity-level behavioural baselining for human and machine accounts.
  • How the vendor models the hybrid identity gap across AI security and IAM ownership boundaries.
  • Implementation detail on deviation detection and what signals are used to flag abnormal identity behaviour.
  • The specific workflow logic behind Attune's baseline-and-alert approach.

👉 Read Abnormal AI's analysis of hybrid identity risk and behavioural baselining →

Hybrid identities: what IAM teams are missing between AI and users?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Hybrid identity is the governance seam that most programmes are not designed to own. The article is right to frame AI agents with delegated human authority as a distinct exposure, not just another workload. Traditional IAM assumes the subject of governance is stable and human-readable, while AI security assumes the subject is the runtime behaviour of the machine. The hybrid identity sits between those assumptions and inherits the weakest control from each side. Practitioners should treat that seam as a first-class governance domain, not an edge case.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably trace machine identity ownership or privilege drift.

A question worth separating out:

Q: How can organisations tell whether identity and AI security controls are aligned?

A: Look for a control owner that can see the credential, the delegated authority, and the runtime behaviour in one place. If identity logs live with one team and AI activity lives with another, the programme is still split. Alignment exists when a single review process can trace one identity from issuance to abnormal use.

👉 Read our full editorial: Hybrid identities expose the seam between AI and IAM controls



   
ReplyQuote
Share: