Identity at KubeCon Europe 2025: are your controls ready for AI and workloads?

TL;DR: KubeCon Europe 2025 showed the cloud-native stack moving from building blocks to operating systems, with AI, workload identity, and policy-driven authorization converging around one problem: identity is now the control plane, not an afterthought, according to Cerbos. Treating services and AI agents as first-class identities is now a prerequisite for secure production systems.

NHIMG editorial — based on content published by Cerbos: KubeCon Europe 2025 analysis of AI, workload identity, and policy-based access control

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should teams govern workload identities in cloud-native environments?

A: Start by treating every workload as a first-class identity with an owner, an access boundary, and a revocation path.

Q: Why do AI workloads complicate existing IAM and authorisation models?

A: AI workloads can hold state, make runtime decisions, and trigger downstream actions across multiple systems, so they behave more like governed non-human identities than static services.

Q: What breaks when authorisation is hardcoded into application logic?

A: Hardcoded access rules become brittle as systems grow, because each code path must be updated and retested whenever permissions change.

Practitioner guidance

• Inventory all non-human identities across clusters and pipelines Build a single view of service accounts, sidecars, schedulers, API tokens, and AI workloads so access ownership and trust paths are visible.
• Replace shared secrets with unique workload identities Use federated identity patterns and short-lived credentials so each workload has a verifiable identity that can be traced and revoked without impacting unrelated systems.
• Externalise authorisation into version-controlled policy Move access rules out of application code and cluster manifests, then test policy changes like any other production control so they can be reviewed before deployment.

What's in the full article

Cerbos's full blog post covers the operational detail this post intentionally leaves for the source:

• A closer look at how the article frames SPIFFE, workload identity federation, and service mesh integration in production.
• Cerbos's specific examples of policy-driven authorisation patterns for cloud-native services and AI workloads.
• The article's discussion of AuthZEN and why externalised policy is becoming the default abstraction for modern authorisation.
• The operational context behind treating AI workloads as tier-one services rather than isolated experiments.

👉 Read Cerbos's analysis of identity-first cloud-native operations at KubeCon Europe 2025 →

Identity at KubeCon Europe 2025: are your controls ready for AI and workloads?

Explore further

View Full Forum →  |  NHI Foundation Course →