Notifications
Clear all
Topic starter
08/06/2026 4:40 pm
TL;DR: Cross-border AI adoption is diverging on culture, regulation, and security expectations, with the U.S. moving faster on deployment while the U.K. and Europe impose tighter controls around data use, human judgment, and access governance, according to ConductorOne. The key lesson is that identity programmes cannot treat AI governance, JIT access, and contractor entitlements as interchangeable policy settings across regions.
NHIMG editorial — based on content published by ConductorOne: U.S. vs. U.K. Perspectives on AI and Security
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams implement just-in-time access for AI-related work?
A: Start by tying each privilege grant to a specific task, identity, and expiry condition.
Q: Why do contractor identities create more governance risk than many teams assume?
A: Contractor identities often reach the same systems as employees but are governed with weaker lifecycle controls.
Q: What breaks when AI adoption outpaces identity governance?
A: Standing permissions, unclear approval paths, and inconsistent regional policy handling start to fail at scale.
Practitioner guidance
- Differentiate access policy by jurisdiction Map AI-related identity and access workflows to the regulatory expectations of each operating region.
- Replace standing entitlements with task-scoped access Convert high-risk access into just-in-time grants with explicit expiry, approval, and task linkage.
- Put contractor accounts into the same lifecycle model as employees Assign each third-party identity an owner, review cadence, and offboarding trigger.
What's in the full article
ConductorOne's full blog covers the conversational details and source context this post intentionally leaves out:
- The full discussion of how U.S. and U.K. security culture shapes day-to-day AI adoption decisions.
- The transcript-level examples behind just-in-time access and no birthright permissions in multinational environments.
- The comments on contractor compromise patterns and why long-standing entitlements become entry points.
- The privacy and human judgment discussion around AI-generated workplace communications and disclosure.
👉 Read ConductorOne's discussion of U.S. and U.K. perspectives on AI and security →
AI governance across the U.S. and U.K. - what IAM teams miss?
Explore further
08/06/2026 6:24 pm
AI governance is becoming a regional identity problem, not just a model-risk problem. The article shows that adoption speed, regulatory tolerance, and security expectations differ sharply between the U.S. and the U.K. That means the same AI capability can demand different entitlement models, approval chains, and oversight controls depending on where it is deployed. Practitioners should stop treating governance as a global template and start treating it as a jurisdiction-specific identity control problem.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when AI output affects employees or personal data?
A: The organisation remains accountable, but the control chain must include a named human decision maker, clear records, and a review path that survives audit. In regulated environments, AI cannot be allowed to operate as an unowned layer between the request and the decision. Human oversight is part of the governance model, not a cosmetic add-on.
👉 Read our full editorial: U.S. and U.K. AI governance reveal the limits of birthright access
