Notifications
Clear all
Topic starter
09/06/2026 11:10 pm
TL;DR: As AI moves routine work into tools that reach company data and core systems, access decisions multiply faster than human review cadences can handle, according to ConductorOne. The governance gap is no longer about visibility alone; it is about whether identity controls can keep pace with work that now happens inside the flow of execution.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern AI assistants that can perform access work?
A: Treat the assistant as a delegated execution path, not a chat feature.
Q: Why do AI assistants change IAM and IGA operating models?
A: They reduce the gap between request, approval, and execution, which can improve adoption and reduce workaround behaviour.
Q: What breaks when access reviews stay detached from the work being done?
A: Review completion drops and exceptions accumulate because people skip processes that are slow, inconvenient, or out of context.
Practitioner guidance
- Map every assistant action to a specific control owner Document which requests the assistant may prepare, which it may execute, and which always require a human approver.
- Separate read-only and write-capable workflows Allow the assistant to gather evidence and draft reviews without changing entitlements, then require a distinct approval step before revocation, escalation, or campaign changes.
- Test audit fidelity in the same workspace where work happens Verify that Slack-thread actions write the same identity, policy, and change records as console actions, with no hidden side channel for execution or evidence.
What's in the full announcement
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Slack-side task execution flows for access review, entitlement changes, and evidence generation.
- Policy and approval mechanics for actions that require human review before execution.
- How the assistant attributes actions and writes receipts into the audit trail.
- Default-enabled behaviour for teams already using the C1 Slack app.
👉 Read ConductorOne's analysis of governed AI assistants for access work →
AI governance at work speed: what changes for IAM teams?
Explore further
10/06/2026 1:24 am
Governance at AI speed is really a control-placement problem. When access work moves into the workspace, the control point must move with it or the programme falls back to a slower, disconnected review model. That is why the article matters for identity governance as a discipline: latency becomes a governance failure, not just an inconvenience. Practitioners should read this as a signal that workflow placement is now part of control design.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How do organisations keep AI-assisted access changes accountable?
A: Use explicit approval gates for write actions, keep role attribution visible, and preserve evidence for who requested, approved, and executed each change. Accountability depends on being able to reconstruct the decision chain after the fact, including the assistant’s role in the workflow.
👉 Read our full editorial: AI governance at work speed needs governed agents, not faster tabs
