Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI scale and attack surface growth: what should CISOs change now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9063
Topic starter  

TL;DR: AI turns risk into a scale problem because engineers will generate more code, services, connections, and decisions faster than security headcount can grow, making attack surface expansion and automation the central issue, according to Orca Security. The editorial case is that security must shift from bolt-on controls to architecture, visibility, and workflow-level influence before AI practices harden.

NHIMG editorial — based on content published by Orca Security: The AI Era Is a Scale Problem, And CISOs Can't Solve It the Old Way

By the numbers:

Questions worth separating out

Q: How should security teams govern AI-connected systems that can act at machine speed?

A: They should treat AI-connected systems as identity-bearing actors with explicit permissions, data reach, and execution boundaries.

Q: Why do AI workflows complicate IAM and NHI governance?

A: AI workflows complicate governance because they increase the number of actions, permissions, and delegated decisions happening in a shorter time window.

Q: What breaks when security relies on prompt-level controls alone?

A: Prompt-level controls break down because they do not govern the full execution path.

Practitioner guidance

  • Rebuild the AI-connected attack surface Inventory every AI service, agent, plugin, and workflow that can access data or perform actions.
  • Separate agent, service, and human permissions Create distinct identity boundaries so that AI-enabled workflows do not inherit broad human or service privileges.
  • Move governance checkpoints upstream Embed approval, policy, and exception handling into the build and deployment path instead of relying on periodic reviews.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor breaks down AI usage into concrete questions about data access, actions, and permissions.
  • The practical distinction between external exposure, permission sprawl, and autonomous actions when assessing risk.
  • Why prompt-only controls fail when the real problem lives in identity, workflow, and production access layers.
  • The vendor's view on when teams should delay buying tools and focus first on architecture and visibility.

👉 Read Orca Security's analysis of AI-era risk, visibility, and architecture →

AI scale and attack surface growth: what should CISOs change now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8499
 

AI scale turns identity governance into a throughput problem, not a policy problem. The article correctly frames the issue as a change in rate of change, which is where many IAM and NHI programmes break down. When more code, more services, and more delegated actions are created faster than reviews can keep up, governance becomes a question of operational capacity as much as control design. The practitioner implication is that identity teams must measure how much change they can actually absorb.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Should organisations buy dedicated AI security tools before redesigning controls?

A: No. Organisations should first identify whether the main risk is data exposure, permission sprawl, or autonomous action, then place controls where those risks actually live. Buying tools before understanding the primary failure mode often adds complexity without reducing exposure.

👉 Read our full editorial: AI era risk is a scale problem for CISO identity controls



   
ReplyQuote
Share: