Notifications
Clear all
Topic starter
02/06/2026 6:55 pm
TL;DR: Gartner says AI hype is pushing CISOs toward wasteful investments, while AI initiatives that are aligned to cybersecurity priorities are more likely to deliver realized value and less strategic debt, according to RSA Security’s summary of the report. The practical shift is toward embedding AI inside existing governance, identity, detection, and response objectives instead of treating it as a separate roadmap.
NHIMG editorial — based on content published by RSA Security: Gartner Report, AI Security Priorities for CISOs
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams govern AI systems that can take actions on behalf of users?
A: Treat them as non-human identities with scoped permissions, named ownership, and revocation paths.
Q: Why do AI programmes create new identity risk for CISOs?
A: AI programmes expand the number of identities, workflows, and access decisions that security teams must manage.
Q: How do security teams know if AI governance is working?
A: Look for evidence that access decisions are reviewable, permissions are revocable, and exceptions are not becoming permanent.
Practitioner guidance
- Reframe AI as a governed identity class Classify AI assistants, agents, and automated workflows as non-human identities with named owners, explicit scope, and documented revocation paths.
- Tie AI initiatives to core cybersecurity objectives Require every AI use case to map to measurable outcomes in Govern, Identify, Protect, Detect, Respond, or Recover before funding is approved.
- Review access before automation expands Check whether the AI workflow can read sensitive data, trigger actions, or modify state, then apply the narrowest viable entitlements and logging.
With 1.5 out of 10 organisations highly confident in securing NHIs, the baseline problem is already visible, and AI will magnify it unless IAM and NHI ownership are unified?
👉 Read RSA Security’s summary of Gartner’s AI security priorities for CISOs →
Explore further
02/06/2026 7:10 pm
AI security FOMO is really an identity governance problem in disguise. The report describes a familiar executive pressure cycle, but the security consequence is broader than budget waste. When AI becomes a separate roadmap, teams create parallel access models, shadow workflows, and policy exceptions that are hard to unwind. For NHI governance, the correct question is whether AI changes the identity perimeter, not whether it is fashionable. Practitioners should force AI use cases back into existing governance structures rather than allowing a second control plane to emerge.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility.
A question worth separating out:
Q: What should organisations do when AI adoption outpaces governance?
A: Slow the rollout of new use cases until the identity model is clear, the permissions are bounded, and the lifecycle process is in place. Security leaders should fund AI only where it supports existing cybersecurity objectives and where access can be monitored, rotated, and removed on time.
👉 Read our full editorial: AI security priorities for CISOs are shifting toward governance
