Portable trust in CIAM: what changes for AI and delegation?

TL;DR: CIAM stops being sufficient at login unless real-time authorization follows the identity across APIs, data, delegation, and AI-assisted actions, according to PlainID. Static roles and code-based policy create gaps that become more dangerous when assistants or proxies can act on behalf of users; the real control point is the moment of action.

NHIMG editorial — based on content published by PlainID: Portable trust for AI and delegated access in CIAM

By the numbers:

• Millions of customer identities are managed at global scale with >99.99% uptime.

Questions worth separating out

Q: How should security teams enforce access decisions after login in CIAM?

A: They should use runtime authorization to evaluate each sensitive action against current consent, context, and entitlement state.

Q: When does delegated access become a governance risk?

A: Delegated access becomes risky when the delegate keeps permissions after the business purpose, relationship, or time window has ended.

Q: What breaks when AI assistants are allowed to act on behalf of users without policy checks?

A: The assistant can make legitimate-looking requests that exceed the user's intended scope, especially when it can retrieve data, call APIs, or generate responses across sensitive systems.

Practitioner guidance

• Move sensitive decisions into runtime policy enforcement Centralise authorization for application, API, and data-layer decisions so access can be evaluated against current consent, context, and entitlement state instead of static code paths.
• Model delegation as an explicit access state Define delegated access with scope, expiry, and revocation conditions so proxies, accountants, and other on-behalf-of actors do not inherit broad standing access.
• Bind AI-assisted actions to the user's entitlement boundary Require assistants and agents to re-check policy before each sensitive retrieval, response, or API call so their actions remain within the authenticated user's permissions.

What's in the full article

PlainID's full article covers the operational detail this post intentionally leaves for the source:

• How the runtime authorization model maps policy decisions across applications, APIs, and data layers
• The practical breakdown of how Thales and PlainID split authentication, consent, and enforcement responsibilities
• Examples of delegated access, customer proxy patterns, and AI-assisted action control in advanced digital business
• The vendor's own framing of portable trust for customer journeys, including the implementation context

👉 Read PlainID's analysis of portable trust for CIAM, delegation, and AI →

Portable trust in CIAM: what changes for AI and delegation?

Explore further

View Full Forum →  |  NHI Foundation Course →