TL;DR: AI is lowering the activation energy for expertise, customization, and code generation, which can weaken the old economies-of-scale model that security programmes were built around, according to Knostic and Sounil Yu’s remarks at the SANS 2025 Government Security Forum. The governance challenge is no longer just controlling access at scale, but preserving control as systems become more distributed, ephemeral, and customised.
NHIMG editorial — based on content published by Knostic: AI as an enzyme that lowers the activation energy for startups
By the numbers:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to the 2026 Infrastructure Identity Survey.
Questions worth separating out
Q: How should security teams govern AI-driven customisation without losing control?
A: Security teams should govern AI-driven customisation by treating generated code, workflows, and access paths as managed assets with explicit ownership and policy checks.
Q: Why does AI make economies of scale harder to secure?
A: AI makes economies of scale harder to secure because it lowers the cost of building bespoke solutions, which reduces reliance on standardised systems and shared dependencies.
Q: What breaks when security programmes assume systems stay uniform?
A: When programmes assume systems stay uniform, anomaly detection, access review, and configuration governance all lose accuracy as customisation increases.
Practitioner guidance
- Review dependency concentration across AI-enabled systems Identify where standardised platforms, shared code paths, or common identity services could create correlated failure across teams.
- Test whether governance can handle ephemeral operating models Check whether logging, approvals, and entitlement reviews still assume identities, services, or code artefacts exist long enough to be observed and certified.
- Harden identity controls around generated artefacts Treat AI-generated code and custom workflows as first-class governed assets.
What's in the full article
Knostic's full analysis covers the operational detail this post intentionally leaves for the source:
- How the DIE framing changes architecture choices in AI-enabled infrastructure
- Examples of AI-driven custom code generation and why it complicates software composition analysis
- The security trade-offs between distribution, immutability, and ephemerality in real environments
- Knostic's applied use cases for AI data governance and oversharing detection
👉 Read Knostic's analysis of how AI is changing scale, security, and governance →
AI as a security enzyme: what changes for governance teams?
Explore further
AI is turning scale from a governance advantage into a governance liability. The article’s core claim is not simply that AI increases productivity. It is that AI undermines the operational assumptions that made centralised scale manageable in the first place. That means identity and security programmes built around uniform platforms, shared dependencies, and repeatable controls will face more fragmentation and more variance. Practitioners should treat scale itself as a risk variable, not only as an efficiency metric.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when AI-generated systems create new security risk?
A: Accountability should stay with the teams that approve deployment, own the identity surface, and accept the operational risk of AI-generated systems. AI can accelerate creation, but it does not replace ownership. If a generated workflow or custom code path reaches production, the organisation still needs a named owner for access, review, and remediation.
👉 Read our full editorial: AI scale is changing cybersecurity assumptions in enterprise governance