In sprawling IT environments, attacks can come through SaaS app ecosystems, devices and third-party entities. AI’s rise has compounded the risks, allowing more sophisticated threats to launch without bad actors needing high-level technical knowledge. Traditional defenses simply weren’t designed for the speed and proliferation of these attacks.
In this new reality of unconventional and emerging threats, organizations must shift from being reactive to proactive in safeguarding identities, which have become a common attack vector for malicious actors. The rise of non-human identities has compounded the security risks, with up to 92 machine identities for every one human identity. These trends are why prevention is better than cure when it comes to securing identities.
Why identity security is the frontline of cybersecurity
Instead of trying to control technology sprawl, organizations must shift toward controlling the sprawl of identities. The average number of SaaS apps used by a business is around 125. Many of these come with their own logins, offering attackers multiple potential routes into a business.
Now, imagine how many employees need access. In a small business, 20 employees each using 10 apps can mean 200 accounts, leaving IT leaders facing the tough realities of identity sprawl.
The rise of AI adoption and its impact on identity security
Advancements in AI allow a shift away from brute force attempts, with attackers spending less time trying to guess a user’s password and more time trying to get the user to give out their password. AI allows for more humanlike behaviors and conversations. This was shown by attacks such as Arup in 2024, when attackers used an AI-generated videocall to trick an employee into sending them $25 million. Of course, problems don’t just occur when employees are tricked by AI. Risks come when they want to use AI too.
External and internal threats
There’s both good news and bad news when employees have easy access to AI tools. On one hand, they can augment their work to improve accuracy, speed and volume. On the other hand, the potential boost to productivity can come with a different form of Shadow IT. The AI-based version of Shadow IT is where employees can simply open a browser window and make use of AI, often with a high level of freedom from any traditional monitoring or usage controls.
Increased connectivity
AI can be used to scan connected networks at high volume, identifying vulnerabilities far faster than humans can respond, patch or mitigate. Organizations without visibility across their environments are especially vulnerable. There may be orphaned groups with resources left unsecured, or accounts held by now-departed employees that still have standing or elevated privileges.
Without adopting just-in-time (JIT) or Principle of Least Privilege (PoLP) models, these identities and accounts offer threat actors a potential undetected route into and lateral movement within business-critical networks. Reacting after the breach is too late; instead, it’s about taking a preemptive approach.
Preemptive defense strategies to consider
Businesses are quickly acclimating to today’s transformative mix of AI, fast access to tools and always-on connectivity. Denying these benefits for security purposes can put any business at a disadvantage. That rules out defense strategies such as locking down systems until manual approval is granted or only allowing access inside the security perimeter. A different form of preemptive defense, made up of multiple recommendations, is needed.
Recommendation: Make it easy
Shadow IT isn’t just a security risk, it’s also a symptom that workers may not have the tools they need. Maybe procurement processes take too long, or the correct controls are not in place. Either way, team members are choosing to circumvent current protocols for requesting app procurement access. To avoid the risk of identity sprawl, where sometimes identities are created just to trial a product, GenAI offers an answer.
Consider giving employees a corporate-controlled GenAI service. Workers can experiment and spin up tools they need when they need them. Meanwhile, the organization gains real-time understanding of usage, what’s being accessed and by which identities.
If budget is an issue, another option is a voluntary register of AI usage. Employees can self-report and log how they’re using AI, generating an audit trail for governance teams. For example, the OECD’s AI principles include a demand that AI actors “commit to transparency and responsible disclosure regarding AI systems.” In the UK, public sector organizations are encouraged to join the Algorithmic Transparency Recording Standard (ATRS), to “provide clear information about how and why they’re using algorithmic tools.”
Recommendation: Get the basics right
Gartner warns that “Product leaders who fail to invest in preemptive cybersecurity capabilities risk career-impacting cyber incidents and the potential for damaging market share losses within the next two to four years.” The analysts advise pre-emptive defense against sophisticated and emerging threats that arise from the modern attacker’s AI-powered stack. That means starting with identity-based fundamentals, ready to give the best possible foundation for protection and detection. Out-of-the-box, OneLogin includes technology that:
-
AWS IP reputation & DDOS protection: OneLogin integrates with AWS for cloud setup and protection, monitoring IPs and blocking malicious requests before they hit OneLogin and client infrastructure.
-
WAF: OneLogin can take care of managing and authenticating identities wishing to access a WAF.
-
ML-based dynamic risk scoring: Attacks are dynamic and evolving, so defenses need to be equally adaptable and proactive. ML can evaluate authentication attempts based on historical behaviors and adjust the verification based on deviation from an established baseline.
-
Pre-authentication hooks: These allow for dynamic policy assignment based on authentication attributes. With risk score included, it becomes possible to implement PoLP and extend Zero Trust across the environment.
-
User policy (SSO): Employees gain one-click access by entering credentials once. OneLogin supports this boost to productivity and security with policy-driven password security, MFA and context aware access and restrictions for sensitive data.
-
App policy (federation): Organizations can build a federated identity management architecture.
Recommendation: Adopt least privilege access
Two-thirds of senior US executives say that adopting AI agents is delivering measurable value through increased productivity. So even if it’s tempting to give AI agents elevated access and permissions, there should still be PoLP implementations. Ideally, these would be hardened with JIT access.
For example, imagine a chatbot being allowed to access the past interactions of a specific customer that’s currently chatting, rather than all customer histories. The ability to access messages would usually be controlled by a custom logic that defines relevance and expiry dates. This would help with compliance, such as with ISO 27001 Annex A 8.2 which states that “allocation and use of privileged access rights should be restricted and managed.”
Recommendation: Apply context-based authentication
Alongside authenticating based on detected a user’s risk levels, organizations should define authentication based on the resources being requested for access. Application policies can manage the application type and user access levels and can dynamically assess the authentication risk .
For the application, step-up authentication can be policy-driven, with users asked to reauthenticate with other factors based on their risk profile.
Recommendation: Leverage multiple authentication options
Organizations need to spread awareness of the risk of compromise, limiting the potential impact of lateral movement if a breach happens.
One method is to adopt multiple authentication options. These can be changed based on the business culture and industry, ranging from OTP for simple access to advanced ID verification flows with biometrics, passkeys or physical security keys. For more sensitive access use cases, combine two ID verification challenges, perhaps with an OIDC authentication protocol.
Recommendation: Limit lateral movement with step-up authentication
Step-up authentication controls must be used for users accessing sensitive apps and data. This should include MFA and limiting a user or entity’s ability to add new factors.
If a bad actor does gain access to an SSO session, lateral movement can be limited by deploying phishing resistant factors such as FIDO2 WebAuthn, WebAuthn-based passkeys and X.509 certificates when the key is marked as non-exportable.
Recommendation: Govern AI agents
The rise of AI NHIs and their identities requires policies and controls through their lifecycles. Access should be managed according to the actions performed. Audit trails should keep track of actions taken, and regular monitoring of NHI actions and sessions should be performed.
There should also be clear ownership with a human in-the-loop. This person has overall responsibility, maintenance and overview, carrying out governance and making decisions for edge cases.
Recommendation: Incorporate an AI kill switch
Researchers have found some AI models show resistance to shutdown scripts. So, just like an employee can be immediately removed after a company violation, AI agents must be subject to similar controls.
Their authentication, authorization and tokens should be controlled independently, and granular permissions should be restricted with expiration dates to prevent persistent access. Hardening comes from basing these controls on attributes or policies using context-aware authentication to limit activity out of normal office hours or away from specific locations. Any tokens in use can be marked invalid as a way to stop further activity.
Preemptive protection for AI
Despite all the defense capabilities in the world, humans remain the weakest link in a business’s cybersecurity strategy. AI, with its natural language processing capabilities and ability to personalize fake interactions at scale, offers the potential for hackers to scale their social engineering attempts. The prospect of a target giving up their login details opens the door to undetected movement, making it easier to carry out session harvesting and data exfiltration.
That’s why businesses should prioritize pre-emptively putting these suggestions in place:
-
Make it easy for workers to harness AI and minimize the risk of Shadow IT.
-
Ensure basic identity controls are in place.
-
Add context and risk-based controls, including step-up protocols.
-
Bake in the idea of the PoLP process, both for security and to support any governance and compliance requirements.
-
Maintain control over self-directed AI technologies, including the ability to shutdown models when necessary.
By taking these steps, organizations can support dynamic defenses, put in authentication flows and limit lateral movement from breaches. These are a step beyond traditional defense methods. But with the continued proliferation of AI across the cybersecurity landscape, a proactive security posture has never been more business-critical.
