TL;DR: AI turns risk into a scale problem because engineers will generate more code, services, connections, and decisions faster than security headcount can grow, making attack surface expansion and automation the central issue, according to Orca Security. The editorial case is that security must shift from bolt-on controls to architecture, visibility, and workflow-level influence before AI practices harden.
NHIMG editorial — based on content published by Orca Security: The AI Era Is a Scale Problem, And CISOs Can't Solve It the Old Way
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams govern AI-connected systems that can act at machine speed?
A: They should treat AI-connected systems as identity-bearing actors with explicit permissions, data reach, and execution boundaries.
Q: Why do AI workflows complicate IAM and NHI governance?
A: AI workflows complicate governance because they increase the number of actions, permissions, and delegated decisions happening in a shorter time window.
Q: What breaks when security relies on prompt-level controls alone?
A: Prompt-level controls break down because they do not govern the full execution path.
Practitioner guidance
- Rebuild the AI-connected attack surface Inventory every AI service, agent, plugin, and workflow that can access data or perform actions.
- Separate agent, service, and human permissions Create distinct identity boundaries so that AI-enabled workflows do not inherit broad human or service privileges.
- Move governance checkpoints upstream Embed approval, policy, and exception handling into the build and deployment path instead of relying on periodic reviews.
What's in the full article
Orca Security's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor breaks down AI usage into concrete questions about data access, actions, and permissions.
- The practical distinction between external exposure, permission sprawl, and autonomous actions when assessing risk.
- Why prompt-only controls fail when the real problem lives in identity, workflow, and production access layers.
- The vendor's view on when teams should delay buying tools and focus first on architecture and visibility.
👉 Read Orca Security's analysis of AI-era risk, visibility, and architecture →
AI scale and attack surface growth: what should CISOs change now?
Explore further
AI scale turns identity governance into a throughput problem, not a policy problem. The article correctly frames the issue as a change in rate of change, which is where many IAM and NHI programmes break down. When more code, more services, and more delegated actions are created faster than reviews can keep up, governance becomes a question of operational capacity as much as control design. The practitioner implication is that identity teams must measure how much change they can actually absorb.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Should organisations buy dedicated AI security tools before redesigning controls?
A: No. Organisations should first identify whether the main risk is data exposure, permission sprawl, or autonomous action, then place controls where those risks actually live. Buying tools before understanding the primary failure mode often adds complexity without reducing exposure.
👉 Read our full editorial: AI era risk is a scale problem for CISO identity controls