How can organisations reduce the impact of AI-enabled cybercrime?

Why This Matters for Security Teams

AI-enabled cybercrime changes the pace and shape of abuse. Attackers can automate reconnaissance, tune phishing content, chain stolen credentials into cloud and SaaS access, and pivot faster than many human-led response processes can react. That means the question is not only how to block malicious messages, but how to stop a single successful lure from becoming persistent identity compromise. The practical lesson from NHIMG research is that identity and secrets are the real blast-radius multipliers, as shown in The 52 NHI breaches Report and the Ultimate Guide to NHIs — Why NHI Security Matters Now. External threat reporting reinforces the same point: AI can be used to accelerate intrusion workflows, not just generate better spam, as described in Anthropic — first AI-orchestrated cyber espionage campaign report. In practice, many security teams encounter lateral movement only after identity abuse has already turned a simple lure into a cloud session compromise.

Reducing impact starts with assuming the attacker will succeed somewhere, then making every credential, session, and privilege short-lived enough that success does not scale. That means tighter authentication, faster session revocation, narrower standing access, and alerting that prioritises identity containment over inbox cleanup. The same mindset applies to secrets management: leaked API keys, tokens, and certificates can be reused immediately, which is why NHIMG highlights rapid abuse patterns in material such as the DeepSeek breach.

How It Works in Practice

Effective mitigation works by shortening the attacker’s usable window at every layer. Authentication should be paired with phishing-resistant factors where possible, but the more important control is rapid containment after abnormal behaviour appears. Organisations that rely on static roles and long-lived access often discover that access reviews are too slow for an adversary that can enumerate resources, request tokens, and chain tools in minutes. Current guidance suggests treating identity as a runtime control plane, not a one-time onboarding event.

In practice, that means combining:

• narrow privilege and zero standing access for high-risk systems;
• just-in-time elevation with automatic expiry after task completion;
• continuous session monitoring and immediate revocation for anomalous activity;
• centralised secrets handling so tokens and API keys are rotated quickly when exposure is suspected;
• playbooks that tie email, endpoint, cloud, and SaaS alerts back to the same identity record.

This approach aligns with the identity-first model described in CISA cyber threat advisories and with the control emphasis in Top 10 NHI Issues, where compromised credentials are treated as a primary attack path rather than a secondary detail. Where AI is involved, the goal is not to “trust the model less” in the abstract. It is to limit what any compromised identity can do, how long it can do it, and what downstream systems it can reach. These controls tend to break down in highly distributed environments with fragmented secrets managers and inconsistent session telemetry because containment cannot happen fast enough across every control plane.

Common Variations and Edge Cases

Tighter identity control often increases operational overhead, requiring organisations to balance response speed against user friction and automation complexity. That tradeoff becomes sharper in environments that use service accounts, CI/CD pipelines, or AI agents with tool access, because these workloads still need machine identity even when humans are locked down. Best practice is evolving, but there is no universal standard for how to govern every autonomous or semi-autonomous workflow yet.

Two edge cases matter in particular. First, secrets exposure can outpace human response. NHIMG research on The State of Secrets in AppSec notes that the average time to remediate a leaked secret is 27 days, which is far too slow when attackers can act within minutes. Second, threat detection must account for AI-assisted abuse of normal tools, including use of stolen cloud keys, scripted mailbox access, and automated token replay. The practical response is to treat every secret as a short-lived credential candidate and every suspicious session as potentially resumable by an attacker. NHI governance also benefits from the OWASP NHI Top 10, especially where agentic workflows blur the line between application access and delegated authority.

Related resources from NHI Mgmt Group

• How can organisations reduce the identity impact of email compromise?
• How should organisations reduce business email compromise risk when attackers use generative AI?
• How do organisations reduce the impact of quiet, targeted email attacks?
• How should teams reduce the risk of exposed AI credentials being abused?