Notifications
Clear all
Topic starter
22/06/2026 1:42 pm
TL;DR: AI is reshaping cybersecurity operations, but the bigger governance problem is shadow AI, agentic identity, and the need for human oversight as budgets stay flat, according to SPHERE Technology Solutions and Ed Amoroso. Identity programmes now have to track ownership, provenance, and continuous access decisions across people, machines, and AI agents.
NHIMG editorial — based on content published by SPHERE Technology Solutions: podcast highlights from Smells Like Identity Hygiene on AI in cybersecurity
Questions worth separating out
Q: What breaks when shadow AI is not inventoried and owned?
A: Identity governance breaks first, because unknown AI systems cannot be reviewed, constrained, or offboarded.
Q: Why do AI-driven systems complicate IAM and PAM programmes?
A: They complicate IAM and PAM because access is no longer the whole problem.
Q: How do security teams know if AI oversight is actually working?
A: Look for three signals: every AI-enabled system has an owner, every sensitive action is logged, and every exception can be tied back to an approved decision path.
Practitioner guidance
- Inventory shadow AI before expanding policy Map every AI-enabled workflow, assistant, and embedded agent to a named business owner, data path, and access method.
- Classify AI systems by runtime authority Separate simple automation from systems that can choose tools, sequence actions, or continue without approval.
- Extend access reviews to AI behaviour logs Review not only entitlements but also the actions AI systems actually performed, including data access, tool calls, and outbound communications.
What's in the full article
SPHERE Technology Solutions's full podcast recap covers the operational detail this post intentionally leaves for the source:
- The full conversation context around Ed Amoroso’s budgeting and operating-model comments, useful if you need the original phrasing.
- The discussion of shadow AI examples and how unmanaged AI features can appear inside everyday tools and workflows.
- The wider commentary on deepfakes, human judgment, and how security leaders should frame AI risk in executive language.
👉 Read SPHERE Technology Solutions's podcast recap on AI in cybersecurity and shadow AI →
Shadow AI and agentic identity: what IAM teams need to know?
Explore further
This topic was modified 2 hours ago by Mr NHI
22/06/2026 1:47 pm
Shadow AI is an identity inventory problem before it is an AI problem. The article correctly points to unknown AI use as the real danger because organisations cannot govern identities they have not discovered. That aligns with NHI governance reality: ownership, lineage, and approval matter more than whether the tool is branded as AI. Practitioners should treat undiscovered AI access as an identity hygiene failure, not a separate innovation issue.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when an AI system acts outside its intended scope?
A: The organisation is accountable, but operational accountability should sit with the named owner of the AI system and the team that approved its access. If no one can explain why the system had access or who could stop it, the governance model has failed. Accountability must be explicit before the AI is deployed.
👉 Read our full editorial: AI in cybersecurity is exposing shadow AI governance gaps
