In the digital world,

The rapid development and proliferation of multiple AI, GenAI & Agentic AI technologies have exponentially expanded the security threat surfaces for companies of all sizes across all industries.

Bad actors are hacking into these new AI technologies to generate deepfakes, create clever phishing lures and launching new types of advanced attacks that are not detected by traditional security tools and defenses. These attacks also include prompt injections that trick models into revealing sensitive data. Employees are also leaking sensitive company data through unauthorized or careless use of GenAI.

The recent emergence of autonomous agents has ramped up the threat levels by another order of magnitude with the introduction of non-human identities (NHIs).

Taken together these changes have fundamentally changed the cyber-security landscape and necessitated a whole new approach to how companies protect themselves from these new AI driven threats.

Can your company move from securing static systems of record to securing dynamic, self-evolving, decision-making systems?

For the past several decades, cybersecurity’s primary role has been to secure and protect a company’s systems of record which followed clear, predefined rules. These static assets included servers, software, customer data, operating processes along with proprietary legal and financial data.

The introduction and increasing adoption of autonomous AI agents has fundamentally changed cyber-security’s role and significantly increased every company’s attack surface and breach vulnerability.

The autonomous capability of these dynamic systems to access databases and execute decision making tasks across the entire company turn then into significant self-guided security risks.

A recent World Economic Forum article documented that 80% of company breaches involved a compromised identity but only 10% of those companies said they have a well-developed cyber-security strategy to manage their agentic identities.

Companies must expand their cyber-security oversight from human identity to non-human identities (NHIs)

The introduction and expansion of NHIs, including service accounts, OAuth tokens, embedded API keys, and automation credentials, will expand a company’s security threat surfaces by orders of magnitude and create a whole new level cyber-security governance and oversight to protect mission critical assets and processes.

Forrester analyst, Geoff Cairns says “There is going to be an explosion of non-human identities. The exponential growth is indisputable.”

However, Jason Andersen, principal analyst for Moor Insights & Strategy, estimates that companies only have 25% NHI visibility with the remaining 75% in the shadows and undetected.

Justin Greis, CEO of Acceligence, thinks that companies “…need to rethink how identity and data provisioning is done and put in place the right processes that can scale with the growth of agentic identities. You simply cannot apply human processes to something that will scale at the rate of AI in all its forms.” Simply put, companies need to figure out how to use AI to protect themselves from AI.

As the enterprise security challenges shift from humans to machines, operating model governance must shift with it. Regardless of industry sector or company size, once nonhuman identities outnumber humans by orders of magnitude, identity stops being an administrative discipline and becomes a mission critical component of sustainable performance and success. Failure will not be because there are too many identities but rather because companies cannot detect their intentions, certify their ownership and clarify accountability for their actions.

‘Shift Left’ – Build security in upfront

Applications Programming Interfaces (APIs) are the primary connective tissue within an organization and the external connective tissue with its customer, supply chain partners, and other key stakeholders. According to an Akamai study, API communications now account for more than 83% of all internet traffic.

API’s driven by self-acting AI agents have greatly expanded and accelerated their security risks and their exposure to multiple bad actors using some form of AI to attack. As such, companies must make a fundamental shift from their traditional security practices or risk existential consequences.

A critical part in reducing this expanded risk exposure is to address security sooner in the development lifecycle which creates a “shift left” development model as shown on the chart above. This shift means building security into the development process during requirements analysis or planning as opposed to when development and testing have already begun. This shift is an integral part of the emergence of a DevSecOps mentality where development and operations have come together, and security is part of the process from start to finish.

Securing your company from AI, GenAI & agentic AI security threats is not about expanding your traditional security tools and processes. It requires a new governance framework built for autonomy not just execution and a new security playbook based on control and transparency.