The Computer Weekly Security Think Tank considers the intersection of AI and IAM. In this article, we explore the shift from identity management to identity intelligence.In the rapidly evolving landscape of artificial intelligence (AI), Identity and Access Management (IAM) is no longer confined to the back-office security control. It is swiftly becoming the control plane for how organisations operate, compete, and manage risk. The swift adoption of generative AI (GenAI), autonomous agents, and machine-driven workflows is fundamentally reshaping the identity landscape. This is not a mere incremental evolution of IAM, but the emergence of an entirely new identity stack. This new stack must account for humans, machines, and increasingly, AI agents acting with autonomy and speed.
This shift is revealing a critical gap. Traditional IAM architectures were built around relatively static identities, such as employees, partners, and customers, with predictable access patterns. However, AI disrupts this model. Identities are now dynamic, ephemeral, and often non-human, with agents being created, modified, and retired in real time. This has immediate security implications. Gartner predicts that by 2028, 25% of organisational breaches will be traced back to AI agent abuse, highlighting how quickly this risk surface is expanding.
One of the most significant changes in the new identity stack is the elevation of AI agents to first-class identities. These are not simply service accounts or bots in the traditional sense. They can act independently, make decisions, and interact across systems with varying levels of privilege. This creates a new category of identity risk. In many environments today, highly privileged AI agents can be indirectly controlled by users with far lower levels of access. The result is a widening gap between who is authorised and what is actually executed, a fundamental breakdown of least privilege principles.
At the same time, the business uses of these identities are highly transient. The roles and uses of AI agents may exist for seconds or minutes, with needed permissions shifting continuously based on context. This makes traditional identity governance approaches, including periodic reviews, static roles, and policy-based controls, increasingly ineffective. Organisations are, in effect, trying to secure a moving target with tools designed for a fixed perimeter.
To address this, IAM must evolve from identity management to identity intelligence. This means embedding AI not just into user experience, but into the core of identity security, enabling real-time detection, adaptive access control, and continuous verification. Identity decisions can no longer rely solely on predefined rules; they must be context-aware, risk-based, and responsive to rapidly changing behaviours.
For example, detecting anomalous behaviour from an AI agent requires understanding not just who or what the agent is, but what it is trying to achieve, how its behaviour is changing, and whether that aligns with expected intent. This is a fundamentally different problem from traditional authentication and authorisation.
In conclusion, the rise of AI and the dynamic nature of identities in the digital world necessitate a shift in our approach to identity and access management. The traditional methods are no longer sufficient, and we must move towards a more intelligent, adaptive, and context-aware approach to managing identities. This shift is not just about improving security, but also about enabling organisations to operate, compete, and manage risk in an AI-driven world.
