Notifications
Clear all
Topic starter
02/06/2026 6:54 pm
TL;DR: AI can accelerate detection, surface hidden risk, and help security teams scale, but RSA Security cites Gartner guidance that success depends on direct security objectives, independent assessment, and preserving passwordless MFA discipline. The core issue is not AI adoption itself but whether identity controls remain aligned to measurable outcomes.
NHIMG editorial — based on content published by RSA Security: Multi-Factor Authentication The Right Way for CISOs to Use AI, Defined by Gartner
By the numbers:
- 91% of organizations plan to implement AI in their tech stack this year.
- The 2026 RSA ID IQ Report is based on a global survey of more than 2,100 security, IT, and compliance leaders.
Questions worth separating out
Q: How should security teams implement AI in identity-heavy environments?
A: Start with a narrow use case tied to a measurable security outcome, such as faster alert triage or fewer false positives.
Q: Why do AI-driven phishing attacks make passwordless authentication more important?
A: AI can generate more convincing phishing messages, which increases the chance that users will hand over credentials.
Q: What breaks when AI tools can trigger identity actions without policy guardrails?
A: Automated recommendations can turn into unintended access changes, revocations, or escalations before a human can validate them.
Practitioner guidance
- Tie AI use cases to measurable security outcomes Approve AI only where the use case maps to a concrete maturity gap, such as triage time, false positives, or analyst overload.
- Expand phishing-resistant MFA across high-risk access paths Move privileged users, admins, and remote workers off password-based flows where possible, then extend coverage to remaining enterprise applications and federated access points.
- Separate AI recommendations from identity execution Allow AI to recommend actions, but keep access changes, revocations, and exception handling behind policy checks and approval boundaries.
The practical response is to separate recommendation from execution, then anchor each workflow to a measurable control objective and a named owner?
👉 Read RSA Security's analysis of AI use for CISOs and identity controls →
Explore further
02/06/2026 7:08 pm
AI security value collapses when programs confuse speed with control. The article reflects a wider market problem: teams are often asked to automate before they have established the metrics that prove the automation is working. In identity-heavy environments, that usually means faster decisions with no clearer accountability. The right standard is not more AI, but more measurable control over where AI is permitted to act.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: When should organisations prioritize passwordless authentication over broader AI automation?
A: When credential compromise is a meaningful part of the threat model, passwordless and phishing-resistant MFA should come first. AI automation can improve operations, but it does not compensate for weak authentication. If the entry point is still a password, attackers only need one successful lure to undo many downstream controls.
👉 Read our full editorial: AI for cisos only helps when identity controls stay disciplined
