AI scale and attack surface growth: what should CISOs change now?

TL;DR: AI turns risk into a scale problem because engineers will generate more code, services, connections, and decisions faster than security headcount can grow, making attack surface expansion and automation the central issue, according to Orca Security. The editorial case is that security must shift from bolt-on controls to architecture, visibility, and workflow-level influence before AI practices harden.

NHIMG editorial — based on content published by Orca Security: The AI Era Is a Scale Problem, And CISOs Can't Solve It the Old Way

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams govern AI-connected systems that can act at machine speed?

A: They should treat AI-connected systems as identity-bearing actors with explicit permissions, data reach, and execution boundaries.

Q: Why do AI workflows complicate IAM and NHI governance?

A: AI workflows complicate governance because they increase the number of actions, permissions, and delegated decisions happening in a shorter time window.

Q: What breaks when security relies on prompt-level controls alone?

A: Prompt-level controls break down because they do not govern the full execution path.

Practitioner guidance

• Rebuild the AI-connected attack surface Inventory every AI service, agent, plugin, and workflow that can access data or perform actions.
• Separate agent, service, and human permissions Create distinct identity boundaries so that AI-enabled workflows do not inherit broad human or service privileges.
• Move governance checkpoints upstream Embed approval, policy, and exception handling into the build and deployment path instead of relying on periodic reviews.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor breaks down AI usage into concrete questions about data access, actions, and permissions.
• The practical distinction between external exposure, permission sprawl, and autonomous actions when assessing risk.
• Why prompt-only controls fail when the real problem lives in identity, workflow, and production access layers.
• The vendor's view on when teams should delay buying tools and focus first on architecture and visibility.

👉 Read Orca Security's analysis of AI-era risk, visibility, and architecture →

AI scale and attack surface growth: what should CISOs change now?

Explore further

View Full Forum →  |  NHI Foundation Course →