Notifications
Clear all
Topic starter
02/06/2026 6:53 pm
TL;DR: As organizations scale copilots and agents, security maturity is lagging across data, model, identity, and monitoring controls, according to Cyera’s analysis. The operational gap is now the core risk: AI can move faster than governance unless teams measure readiness and tie it to concrete remediation.
NHIMG editorial — based on content published by Cyera: AI security readiness and the gap between innovation and control
Questions worth separating out
Q: How should security teams assess AI readiness before scaling agents and copilots?
A: Start by inventorying the identities, data paths, tools, and approvals that each AI system depends on.
Q: Why do AI systems create new IAM and NHI governance problems?
A: AI systems create new governance problems because they can act through delegated identities, call tools, and access data at machine speed.
Q: What breaks when AI security is measured but not enforced?
A: When measurement is not tied to enforcement, organisations get visibility without risk reduction.
Practitioner guidance
- Implement AI access inventories Catalogue every AI system, agent, service account, token, and connected tool so you can see which identities can read data, invoke workflows, or change state.
- Tie readiness assessments to remediation tickets Convert assessment findings into tracked work items with owners, deadlines, and closure criteria.
- Separate policy from enforcement Document AI standards, then verify that the underlying controls actually block or constrain unsafe behaviour.
Teams should expect AI adoption to surface entitlement sprawl, weak ownership, and unclear exception handling unless they connect readiness assessments to enforcement and auditability?
👉 Read Cyera's analysis of AI security readiness and governance gaps →
Explore further
02/06/2026 7:07 pm
AI readiness is becoming an identity governance test, not a model governance exercise. The article focuses on maturity, but the deeper issue is whether organisations can control what AI systems are allowed to touch and do. That means identity, access, and monitoring must be designed together, or AI will scale faster than governance can absorb it. Practitioners should treat AI readiness as NHI governance with a broader blast radius.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same research.
A question worth separating out:
Q: What should teams do first when a readiness review shows too many AI control gaps?
A: Contain the highest-risk access paths first. Remove unnecessary permissions, assign owners to every AI identity, and narrow tool access where agents can reach sensitive systems or data. In the first 24 to 72 hours, the goal is to reduce blast radius, not to redesign the entire programme.
👉 Read our full editorial: AI security readiness assessments expose the AI governance gap
