Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI at work and identity risk: what practitioners should simplify


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI is accelerating software delivery, customer response, and security work, but it also expands prompt, agent, and data leakage risk, according to Netwrix. The practical lesson is that identity, permissions, and evidence-based policy enforcement matter more as AI speeds up execution and reduces the time available for control review.

NHIMG editorial — based on content published by Netwrix: AI at Work: Speed, Risk, and Why Simplicity Wins

By the numbers:

Questions worth separating out

Q: How should security teams govern AI-assisted workflows without overcomplicating IAM?

A: Start by mapping every AI-assisted workflow to the same identity source, approval owner, and review cycle used for non-AI work.

Q: Why do AI tools increase identity and data exposure risk?

A: AI tools increase exposure risk because they speed up decisions while widening the number of places sensitive information can appear, move, or be reused.

Q: What do IAM teams get wrong about simplifying AI governance?

A: They often assume simplification means less control, when the real goal is fewer control paths with clearer ownership and stronger evidence.

Practitioner guidance

  • Collapse AI access into existing identity policy paths Do not create separate approval or review logic for every AI-enabled use case.
  • Reduce permission creep before expanding AI adoption Review high-visibility access paths first, especially those that can expose customer, salary, or operational data through AI-assisted queries.
  • Make evidence collection continuous, not episodic Capture access and policy evidence as controls run, rather than reconstructing it after the fact.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

  • How Netwrix describes AI adoption across internal teams and customer-facing work
  • The specific examples it uses for prompt risk, social engineering, and internal permission creep
  • Its product-oriented framing for visibility, threat detection, and data security controls
  • The closing perspective on how to keep AI use simple inside an existing security programme

👉 Read Netwrix's analysis of AI at work, speed, risk, and simplicity →

AI at work and identity risk: what practitioners should simplify?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Simplicity is now an identity governance control, not just an operating preference. The article is right that complexity slows teams down, but the deeper point is that complex governance often breaks before security teams notice it. In identity programmes, every extra exception, workflow branch, and manual approval increases the chance that access and actual need diverge. Practitioners should read this as a warning that control sprawl becomes its own risk surface.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Who should own policy enforcement when AI is used in daily work?

A: Ownership should stay with the identity, data, or application team that already controls the underlying entitlement and risk. AI changes the speed of the work, but it does not remove accountability for who can access, modify, or disclose information.

👉 Read our full editorial: AI at work: why simplicity wins for identity and data risk



   
ReplyQuote
Share: