Semperis recently published results from a study showing that AI is "redrawing the boundaries of global identity attack surfaces, and organizations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities."
The State of Identity Security in the AI Era study found that 74 percent of organizations surveyed believe AI will increase attacks on identity infrastructure. In addition, 93 percent already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access. Ninety-two percent say AI is installed on at least some local machines with access to SSH and encryption keys, yet globally only 32 percent are very confident they could regain control if AI exposes admin credentials.
“The accelerated use of AI is introducing a bevy of new agents— each with its own non-human identity (NHI)— throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis Chief Product Officer.
Globally, only 65 percent of organizations say AI identities are fully registered, authenticated and authorized in a formal system, and six percent admit they do not track them at all. In organizations that do track AI identities, 57 percent use the same system as for human identities, while 43 percent authenticate and authorize them using a separate system.
AI is being placed close to sensitive identity infrastructure—and few organizations are prepared for the potential consequences. More than a quarter of surveyed organizations (29 percent) already use AI agents to manage security-related help desk tickets, including password resets and VPN access.
Another 65 percent intend to do so within the next year. In parallel, 92 percent of respondents say that some percent of their workforce has AI installed on local machines where it can access SSH and encryption keys. On the plus side, 83 percent of respondents indicated that AI identity governance is a priority for them in the coming months.
How can organizations govern these hard-to-control identities? For now, best practices include:
- Treat agents explicitly as NHIs in the identity fabric.
- Enforce least-privilege, just-enough, and just-in-time access for agents as rigorously as for humans.
- Segregate agent and human trust boundaries where appropriate.
- Use UEBA-style analytics to detect “zombie” or anomalous agent behavior.
- Ensure that your organization can quickly recover identity systems to a trustworthy state if they are breached.
Access the full AI Study here.
