Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI as a security enzyme: what changes for governance teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9924
Topic starter  

TL;DR: AI is lowering the activation energy for expertise, customization, and code generation, which can weaken the old economies-of-scale model that security programmes were built around, according to Knostic and Sounil Yu’s remarks at the SANS 2025 Government Security Forum. The governance challenge is no longer just controlling access at scale, but preserving control as systems become more distributed, ephemeral, and customised.

NHIMG editorial — based on content published by Knostic: AI as an enzyme that lowers the activation energy for startups

By the numbers:

Questions worth separating out

Q: How should security teams govern AI-driven customisation without losing control?

A: Security teams should govern AI-driven customisation by treating generated code, workflows, and access paths as managed assets with explicit ownership and policy checks.

Q: Why does AI make economies of scale harder to secure?

A: AI makes economies of scale harder to secure because it lowers the cost of building bespoke solutions, which reduces reliance on standardised systems and shared dependencies.

Q: What breaks when security programmes assume systems stay uniform?

A: When programmes assume systems stay uniform, anomaly detection, access review, and configuration governance all lose accuracy as customisation increases.

Practitioner guidance

  • Review dependency concentration across AI-enabled systems Identify where standardised platforms, shared code paths, or common identity services could create correlated failure across teams.
  • Test whether governance can handle ephemeral operating models Check whether logging, approvals, and entitlement reviews still assume identities, services, or code artefacts exist long enough to be observed and certified.
  • Harden identity controls around generated artefacts Treat AI-generated code and custom workflows as first-class governed assets.

What's in the full article

Knostic's full analysis covers the operational detail this post intentionally leaves for the source:

  • How the DIE framing changes architecture choices in AI-enabled infrastructure
  • Examples of AI-driven custom code generation and why it complicates software composition analysis
  • The security trade-offs between distribution, immutability, and ephemerality in real environments
  • Knostic's applied use cases for AI data governance and oversharing detection

👉 Read Knostic's analysis of how AI is changing scale, security, and governance →

AI as a security enzyme: what changes for governance teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9408
 

AI is turning scale from a governance advantage into a governance liability. The article’s core claim is not simply that AI increases productivity. It is that AI undermines the operational assumptions that made centralised scale manageable in the first place. That means identity and security programmes built around uniform platforms, shared dependencies, and repeatable controls will face more fragmentation and more variance. Practitioners should treat scale itself as a risk variable, not only as an efficiency metric.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when AI-generated systems create new security risk?

A: Accountability should stay with the teams that approve deployment, own the identity surface, and accept the operational risk of AI-generated systems. AI can accelerate creation, but it does not replace ownership. If a generated workflow or custom code path reaches production, the organisation still needs a named owner for access, review, and remediation.

👉 Read our full editorial: AI scale is changing cybersecurity assumptions in enterprise governance



   
ReplyQuote
Share: