Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Always-on privileged access for AI identities: what is changing?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: 91% of organisations still say at least half of privileged access is always on, while only 1% have fully implemented just-in-time privileged access and 45% apply the same controls to AI agents as to humans, according to CyberArk research. That combination turns privilege sprawl into a structural governance problem, not a tooling gap.

NHIMG editorial — based on content published by CyberArk: the privilege reality gap in AI and cloud environments

By the numbers:

Questions worth separating out

Q: How should security teams reduce always-on privileged access in cloud environments?

A: Start by identifying which privileged accounts truly need persistent access and which can be moved to just-in-time elevation.

Q: Why do AI agents complicate privileged access governance?

A: AI agents complicate privileged access governance because they can act at runtime and execute sensitive tasks faster than human review workflows can keep up.

Q: What breaks when organisations manage human and machine privilege the same way?

A: What breaks is accountability.

Practitioner guidance

  • Inventory standing privilege across all identity types Build a single view of privileged accounts, service identities, and AI-driven access paths so you can see where persistent access still exists.
  • Move high-risk access to just-in-time issuance Use time-bound elevation for sensitive actions rather than leaving privilege continuously available.
  • Separate AI agent controls from human access policies Do not inherit human approval patterns automatically for AI-driven identities.

What's in the full report

CyberArk's full article covers the operational detail this post intentionally leaves for the source:

  • Survey methodology and respondent breakdown across PAM, IAM, and infrastructure roles
  • The full set of research findings on always-on privilege, AI policy gaps, and tool fragmentation
  • CyberArk's suggested privilege-modernisation themes for human, machine, and AI identities
  • Research context on how the survey was conducted by Censuswide

👉 Read CyberArk's research on the privilege reality gap for AI and cloud →

Always-on privileged access for AI identities: what is changing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Always-on privilege is the control gap this research exposes. Access models built around persistent entitlements assume that privilege can remain live until a review catches it. That premise fails when production systems, machines, and AI-driven identities all operate under faster execution patterns and narrower operational contexts. The implication is that privilege governance must be judged by how quickly access can be narrowed, not by how many controls exist on paper.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should own privileged access risk when identity tools are fragmented?

A: The IAM or PAM function should own the operating model, but cloud, platform, and application teams must share accountability for the identities they create and the secrets they expose. Fragmentation makes no one fully responsible unless ownership is tied to each account, tool, and production pathway.

👉 Read our full editorial: AI-driven privileged access exposes the shadow privilege gap



   
ReplyQuote
Share: