The Computer Weekly Security Think Tank considers the intersection of AI and IAM. In this article, we explore the shift from identity management to identity intelligence.Identity and Access Management (IAM) has evolved from being a mere back-office security control to becoming the backbone of how organisations operate, compete, and manage risk in an AI-driven world. The rapid adoption of generative AI (GenAI), autonomous agents, and machine-driven workflows is fundamentally altering the identity landscape. This is not just a gradual evolution of IAM, but the emergence of an entirely new identity stack. This new stack must account for humans, machines, and increasingly, AI agents acting with autonomy and speed.
This shift is revealing a critical gap. Traditional IAM architectures were designed around relatively static identities such as employees, partners, and customers, with predictable access patterns. However, AI disrupts this model. Identities are now dynamic, ephemeral, and often non-human, with agents being created, modified, and retired in real time. This has immediate security implications. Gartner predicts that by 2028, 25% of organisational breaches will be traced back to AI agent abuse, highlighting how quickly this risk surface is expanding.
One of the most significant changes in the new identity stack is the elevation of AI agents to first-class identities. These are not merely service accounts or bots in the traditional sense. They can act independently, make decisions, and interact across systems with varying levels of privilege. This creates a new category of identity risk. In many environments today, highly privileged AI agents can be indirectly controlled by users with far lower levels of access. This results in a widening gap between who is authorised and what is actually executed, a fundamental breakdown of least privilege principles.
At the same time, the business uses of these identities are highly transient. The roles and uses of AI agents may exist for seconds or minutes, with needed permissions shifting continuously based on context. This makes traditional identity governance approaches, including periodic reviews, static roles, and policy-based controls, increasingly ineffective. Organisations are, in effect, trying to secure a moving target with tools designed for a fixed perimeter.
To address this, IAM must evolve from identity management to identity intelligence. This means embedding AI not just into user experience, but into the core of identity security, enabling real-time detection, adaptive access control, and continuous verification. Identity decisions can no longer rely solely on predefined rules; they must be context-aware, risk-based, and responsive to rapidly changing behaviours.
For example, detecting anomalous behaviour from an AI agent requires understanding not just who or what the agent is, but what it is trying to achieve, how its behaviour is changing, and whether that aligns with expected intent. This is a fundamentally different problem from traditional authentication and authorisation.
In conclusion, the rise of AI and machine-driven workflows necessitates a shift in our approach to identity and access management. Traditional methods are no longer sufficient in a world where identities are dynamic, ephemeral, and often non-human. As we move forward, it’s crucial that we evolve our strategies and tools to keep pace with these changes, ensuring that our systems are secure, efficient, and capable of supporting the needs of our increasingly AI-driven world.
