Notifications
Clear all
Topic starter
25/06/2026 10:45 pm
TL;DR: AI adoption is widening both opportunity and attack surface, as IBM says 72% of organisations used AI in at least one business function in 2024 and identity-based attacks accounted for 30% of breaches, making governance and real-time visibility essential, according to Imprivata. The real challenge is not whether to adopt AI, but whether identity and access controls can keep pace with its operational and security impact.
NHIMG editorial — based on content published by Imprivata: On AI Appreciation Day, Cybersecurity Experts Push for Responsible Innovation
By the numbers:
- 72% of organizations integrated AI into at least one business function in 2024.
- Identity-based attacks made up 30% of all breaches in 2024.
- The average global cost of a data breach reached $4.88 million in 2024.
Questions worth separating out
Q: How should security teams govern AI use in existing IAM programmes?
A: Treat AI as part of the identity estate, not a separate innovation layer.
Q: Why do AI systems increase identity risk even when they improve security operations?
A: AI can help defenders, but it also helps attackers scale phishing, impersonation, and credential abuse.
Q: What do security teams get wrong about AI and zero trust?
A: They often treat zero trust as a one-time architecture choice instead of continuous verification.
Practitioner guidance
- Map AI usage to identity owners Inventory where AI is used in business functions, then tie each use case to a human owner, a service account, or a workload identity so accountability is explicit.
- Harden authentication against AI-assisted impersonation Prioritise phishing-resistant authentication and step-up checks for access paths that protect sensitive systems, privileged functions, or high-value data.
- Use access telemetry to govern AI activity Correlate user behaviour and access analytics with approved AI use cases so review teams can detect overreach, misuse, or undocumented expansion of access.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How the cited IBM data is used to frame enterprise AI adoption and breach exposure.
- The specific comments from Imprivata leadership on AI, visibility, and governance.
- Why user behaviour analytics and access management data are positioned as practical controls.
- The broader discussion of AI, zero trust, and real-time monitoring in the source article.
👉 Read Imprivata's perspective on AI appreciation day, identity risk, and governance →
AI governance and identity risk: what practitioners need to do?
Explore further
25/06/2026 11:26 pm
AI governance is now an identity governance problem, not a separate strategy track. Once AI is embedded in business functions, it inherits the same access, entitlement, and audit expectations as any other actor in the environment. The difference is scale and speed, not category. That means IAM, NHI, and lifecycle governance need to treat AI usage as part of the same control fabric, not as an adjacent innovation initiative. Practitioners should stop separating AI governance from identity governance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should own AI governance when business teams are adopting it quickly?
A: Ownership should sit with the business function using AI, supported by IAM, security, and risk teams. That model keeps accountability tied to the actual use case instead of allowing governance to drift into a shared-no-one model.
👉 Read our full editorial: AI appreciation day exposes the identity governance gap around AI
