TL;DR: KubeCon Europe 2025 showed the cloud-native stack moving from building blocks to operating systems, with AI, workload identity, and policy-driven authorization converging around one problem: identity is now the control plane, not an afterthought, according to Cerbos. Treating services and AI agents as first-class identities is now a prerequisite for secure production systems.
NHIMG editorial — based on content published by Cerbos: KubeCon Europe 2025 analysis of AI, workload identity, and policy-based access control
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should teams govern workload identities in cloud-native environments?
A: Start by treating every workload as a first-class identity with an owner, an access boundary, and a revocation path.
Q: Why do AI workloads complicate existing IAM and authorisation models?
A: AI workloads can hold state, make runtime decisions, and trigger downstream actions across multiple systems, so they behave more like governed non-human identities than static services.
Q: What breaks when authorisation is hardcoded into application logic?
A: Hardcoded access rules become brittle as systems grow, because each code path must be updated and retested whenever permissions change.
Practitioner guidance
- Inventory all non-human identities across clusters and pipelines Build a single view of service accounts, sidecars, schedulers, API tokens, and AI workloads so access ownership and trust paths are visible.
- Replace shared secrets with unique workload identities Use federated identity patterns and short-lived credentials so each workload has a verifiable identity that can be traced and revoked without impacting unrelated systems.
- Externalise authorisation into version-controlled policy Move access rules out of application code and cluster manifests, then test policy changes like any other production control so they can be reviewed before deployment.
What's in the full article
Cerbos's full blog post covers the operational detail this post intentionally leaves for the source:
- A closer look at how the article frames SPIFFE, workload identity federation, and service mesh integration in production.
- Cerbos's specific examples of policy-driven authorisation patterns for cloud-native services and AI workloads.
- The article's discussion of AuthZEN and why externalised policy is becoming the default abstraction for modern authorisation.
- The operational context behind treating AI workloads as tier-one services rather than isolated experiments.
👉 Read Cerbos's analysis of identity-first cloud-native operations at KubeCon Europe 2025 →
Identity at KubeCon Europe 2025: are your controls ready for AI and workloads?
Explore further
Identity is becoming the control plane for cloud-native and AI operations. The article reflects a broader industry shift away from infrastructure-first thinking toward identity-first governance. When services, schedulers, sidecars, and AI agents all need verifiable access, identity stops being a peripheral control and becomes the mechanism that defines safe execution. Practitioners should treat identity design as platform architecture, not just IAM administration.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do identity teams reduce blast radius for non-human identities?
A: Limit credential scope, separate duties across workloads, and ensure every identity has a clear offboarding path. The goal is to stop one compromised or over-privileged service from becoming the trust bridge into many other systems, which is where many cloud incidents spread.
👉 Read our full editorial: KubeCon Europe 2025 shows identity becoming the control plane