Identity security implications for intelligent automation

In a recent executive roundtable hosted by Delinea, senior cybersecurity leaders and CISOs convened with me and a Delinea executive team to discuss the identity security implications of intelligent automation.

The conversation centered on the rapid adoption of AI-enhanced Robotic Process Automation (RPA) and the proliferation of non-human digital identities within enterprise environments. This blog summarizes that session's key discussions and conclusions, highlighting the emerging risks and governance challenges, and recommending security strategies for managing AI agents in the modern digital workforce.

The rapid adoption of intelligent automation that combines robotic process automation with AI agents is transforming how enterprises operate. These AI-driven agents, capable of performing complex tasks independently, are increasingly business-critical across most industries. However, as organizations deploy these digital workers, security concerns surrounding their non-human identities become more prominent.

Emerging security challenges of AI agents

The use of AI agents is rising quickly. Without exception, the attendees plan to expand their deployment of AI agents over the next 12 months. These agents work in sensitive domains, including legal, financial, and supply chain systems. Despite this growth, complete visibility into the data accessible by these agents is lacking. This can lead to unintended actions, such as unauthorized access, sharing inappropriate data, or downloading sensitive files.

This trend introduces a new AI identity category without direct human oversight. Unlike traditional user accounts, AI agents can be instantiated rapidly, scaled flexibly, and interact with numerous systems simultaneously. Their autonomous nature and ease of creation pose significant challenges to existing Identity and Access Management (IAM) frameworks, primarily designed around human users.

Implications for Identity Security and Governance

The rise of AI agents compels a reevaluation of security protocols for identity management. Conventional IAM systems that rely on multi-factor authentication (MFA) and user-centric controls are often ill-equipped to handle these autonomous digital identities. AI agents usually require multiple identities or credentials to function effectively, especially when integrated with high-performance development or content creation systems.

While most of our attendees don't have specific policies to manage AI agents, they agreed that the existing identity governance policies would be sufficient if more stringently applied to these new AI Agents. If these existing controls are not enforced more stringently, then AI agents may operate with excessive privileges, access sensitive data without proper authorization, or may be manipulated to reveal sensitive data.

AI strategies for securing AI-driven digital workers

To address these challenges, Delinea tabled the following for consideration towards a comprehensive AI identity security approach:

1. Implement Privileged Access Management (PAM): Since AI agents typically cannot perform MFA, PAM solutions are vital. They can control and monitor credentials used by these agents, enforce just-in-time access, and audit activities, ensuring sensitive data remains protected.

2. Use machine identity frameworks: Strong credentials such as PKI and newer standards like SPIFFE (Secure Production Identity Framework for Everyone) and its verification and issuance service, SPIRE (SPIFFE Runtime Environment), offer a formalized way to issue and manage cryptographically secure identities for modern workloads. This ensures AI agents are properly authenticated and authorized for specific tasks.

3. Define ownership and accountability: Clear responsibility assignments are crucial. Designating business owners or managers ensures AI agents operate within established parameters, monitoring and reviewing their activities regularly.

4. Enforce least privilege access: Grant AI agents only the necessary permissions for their tasks. Regular access reviews and audits help revoke unnecessary privileges, minimizing the attack surface.

5. Begin with low-risk deployments: Organizations new to AI agents should start by assigning them tasks with minimal impact in case of errors. Additionally, the mass rush to adopt AI everywhere can be avoided somewhat by simply requiring an estimation of ROI for each project. This phased approach allows for careful monitoring and refinement of governance practices.

The attendees agreed that intelligent automation is becoming central to enterprise operations, and securing AI agents as a distinct class of digital identities is critical. Implementing robust identity security strategies and governance frameworks is a business imperative now. Modern identity security solutions can help them unlock the benefits of AI-driven automation while safeguarding their data, systems, and compliance.

You may be thinking “where do I get started” or “who is using AI within my company today?”

Delinea Continuous Identity Discovery can help you automatically establish an AI usage baseline, govern activity, and block unapproved services to mitigate unmanaged risks.