TL;DR: Static access reviews no longer explain identity risk well enough because modern environments reuse credentials across systems, embed them in automation, and delegate action to non-human and AI-driven identities, according to Widefield Security. Identity security now has to model behaviour over time, not just validate access at a point in time.
NHIMG editorial — based on content published by Widefield Security: Adapting modern identity security in an AI-driven world
Questions worth separating out
Q: How should security teams govern identities whose behaviour changes over time?
A: Security teams should govern dynamic identities by combining entitlement review with behavioural baselining.
Q: Why do non-human identities create more hidden risk than traditional user accounts?
A: Non-human identities often run continuously, lack human login patterns, and are reused across workflows.
Q: What do organisations get wrong about access reviews in identity security?
A: They often treat access reviews as proof that identity risk is under control.
Practitioner guidance
- Map identity behaviour, not just access lists Create a baseline for how critical human and non-human identities normally operate across systems, then flag drift in frequency, scope, and relationships.
- Separate non-human identity inventory from human IAM records Track service accounts, API keys, tokens, and machine identities with their own ownership, purpose, and lifecycle metadata so reuse and delegation are visible.
- Integrate runtime detection into access certification Use logs and telemetry to inform whether the access being reviewed still matches actual usage.
What's in the full article
Widefield Security's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor frames identity security as a dynamic visibility and detection problem across human and non-human identities.
- Examples of identity drift scenarios that are used to illustrate why static access reviews miss misuse.
- The article's discussion of ITDR, ISPM, and IVIP as emerging categories for runtime identity intelligence.
- The vendor's explanation of how CISA guidance and NIST digital identity guidance relate to behavioural detection.
👉 Read Widefield Security's analysis of modern identity security in an AI-driven world →
Identity security in an AI-driven world: where do controls fall short?
Explore further
Identity governance now fails on meaning, not just coverage: static access controls can be present and still leave the organisation unable to tell whether use is appropriate. That is the central failure mode in modern identity security, where legitimate credentials can carry malicious or unintended action without tripping traditional alerts. The implication is that identity programmes must be evaluated on behavioural comprehension, not just entitlement presence.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How can teams tell whether their identity controls are keeping up with AI-driven workflows?
A: Teams should look for whether identity controls can explain delegated action, not just authenticate it. If a system can launch tools, call APIs, and trigger downstream activity without a clear behavioural model, the controls are lagging behind the workflow.
👉 Read our full editorial: Identity security needs dynamic detection in an AI-driven world