AI push exposes gaps in identity controls, UK warned

Delinea has published research suggesting many organisations are relaxing identity controls as they roll out AI, despite gaps in governance and monitoring for AI-driven accounts.

A global survey of more than 2,000 IT decision-makers found 90% of organisations pressure security teams to loosen identity controls for AI initiatives. At the same time, respondents reported persistent blind spots in identity discovery and oversight, especially for machine and non-human identities.

Identity management sits at the centre of many security models. It governs who or what can access systems and data, and what actions they can take. AI deployments often increase the number of identities in an environment, as organisations add automated tools, service accounts, and AI agents that need credentials and permissions.

Nearly 90% of respondents reported at least one identity visibility gap. The biggest gap involved machine and non-human identities, including accounts used by AI agents. Respondents also said identity discovery gaps were more likely to persist in AI environments than in legacy or on-premises systems.

Confidence gap

The research points to a mismatch between perceived AI readiness and access controls. While 87% of respondents said their identity security posture was ready to support AI-driven automation, 46% said identity governance for AI systems was deficient.

Respondents also rated their ability to discover and govern identities in AI environments more poorly than in legacy systems. Although 82% said they were confident they could discover non-human identities with access to production systems, fewer than one in three organisations validate non-human identity or AI agent activity in real time.

Art Gilliland, Delinea's CEO, said security discipline is struggling to keep pace with deployment speed.

"The pressure to move fast on AI is real, but identity governance has not kept pace, which exposes enterprises to significant risk," Gilliland said.

Non-human identities

Non-human identities include service accounts, automated jobs, and software-agent identities. They can hold elevated permissions because they need broad access to perform tasks across systems. That access increases risk if credentials are poorly managed, permissions remain in place for too long, or activity is not logged and reviewed.

In the survey, 42% of organisations said AI expansion was a top factor increasing non-human identity risk over the past 12 months. Increased automation and CI/CD velocity and growth in cloud-native workloads followed at 26% each.

Traceability for privileged actions by automated identities also emerged as a weak point: 80% of organisations said they cannot always understand why a non-human identity performed a privileged action. This can slow investigations into suspicious activity and complicate accountability for automated changes.

Standing privileged access was another recurring issue. In the survey, 59% of organisations said they lacked viable alternatives to standing privileged access for non-human identities and AI agents. Persistent permissions raise the risk of misuse if an identity is compromised or access is broader than required.

Gilliland linked the governance gap to the growing number of automated identities in corporate environments.

"As AI agents multiply across enterprise environments, these identities often have the least oversight. The organizations that will succeed in the AI era will be the ones that enforce real-time, contextual access across every human, machine, and agentic AI identity," he said.

UK snapshot

Delinea also published a UK breakdown based on 250 IT decision-makers who said they were actively using AI in their environments. The UK data points to high levels of unsanctioned AI tools connecting to corporate systems.

In the UK sample, 58% said they discover unsanctioned AI tools sometimes or often, which Delinea described as the second-highest rate globally.

The findings also suggest some organisations choose speed over tighter control when identity workflows create friction. In the UK sample, 22% said they resolve the tension between business speed and security by granting standing privileges, which Delinea said was the highest level globally.

Operational friction was cited as a contributing factor. In the UK sample, 81% reported moderate-to-high friction deploying AI agents, and 84% reported similar friction with cloud or infrastructure provisioning.

The UK breakdown also highlighted enforcement challenges. Delinea said 26% of UK respondents enforce security requirements when friction arises, the lowest level globally.

Elsewhere in the UK data, 32% said they rely on static, long-lived credentials for non-human identity access, and 54% said AI environments are where identity gaps will persist.

Alongside AI agent adoption, UK respondents also cited wider engineering trends as risk drivers. In the UK sample, 30% pointed to increased automation and CI/CD velocity as a top risk driver, and 30% cited growth in cloud-native workloads.

Delinea said organisations are looking for stronger ways to discover identities, manage privileges, and audit activity across humans, machines, and AI agents as more automated tools gain access to production systems and sensitive data.