AI for security, third-party risk, and NHI identity at RSA 2025

TL;DR: RSA 2025 made one pattern clear: AI is moving into security workflows while third-party risk and non-human identity sprawl are moving to the centre of identity governance, according to Oasis Security’s conference takeaways. The practical shift is that IAM, NHI, and AI security controls now have to be designed together, not as separate programmes.

NHIMG editorial — based on content published by Oasis Security: RSA 2025: 5 Takeaways on AI, Third-Party Risk & the Future of Identity

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams govern AI-assisted workflows that can take action on their own?

A: Security teams should govern AI-assisted workflows as identities with assigned owners, bounded permissions, and explicit approval paths.

Q: Why do third-party integrations increase identity risk so quickly?

A: Third-party integrations increase identity risk because they extend trust through credentials, tokens, and delegated access rather than through direct human oversight.

Q: What breaks when non-human identities are managed separately from AI security?

A: What breaks is the ability to see the full trust chain.

Practitioner guidance

• Treat AI copilots as governed identities Assign every AI-assisted workflow an owner, a permission boundary, and an approval model before it is allowed to act on security data or response paths.
• Collapse third-party access into your NHI inventory Track supplier-issued API keys, service accounts, and embedded tokens in the same register as internal non-human identities so revocation and review follow one process.
• Measure identity blast radius, not just asset count Review which systems each credential can reach, which actions it can trigger, and whether those permissions are still justified by the current business relationship.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• Conference-specific examples from RSA hallway conversations and panel themes that shaped the five takeaways
• How Oasis Security frames discovery, context, anomaly detection, and lifecycle governance for non-human identities
• The product-side context behind Oasis NHI Provisioning and the associated operational workflows
• The broader conference signals around AI for security and security for AI that did not fit in this analysis

👉 Read Oasis Security's RSA 2025 takeaways on AI, third-party risk, and identity →

AI for security, third-party risk, and NHI identity at RSA 2025?

Explore further

View Full Forum →  |  NHI Foundation Course →