Key Findings

• 92% of organizations lack full visibility into AI identities operating within their systems

• 71% of CISOs confirm AI tools have access to critical systems like Salesforce and SAP, but only 16% report this access is governed effectively

• 95% of security leaders doubt their ability to detect or contain AI misuse

• 75% of organizations have already discovered unsanctioned AI tools running in their environments

• 86% do not enforce formal access policies for AI identities

• Only 5% of security leaders feel confident they could contain a compromised AI agent

Background

The research, released by Cybersecurity Insiders in collaboration with Saviynt, reveals a growing disconnect between AI adoption and security governance in enterprise environments. What started as isolated tool implementations has evolved into a widespread phenomenon where artificial intelligence systems now operate alongside traditional infrastructure with minimal oversight. These AI identities represent a new class of non-human actors that differ fundamentally from legacy service accounts, possessing capabilities to invoke APIs, maintain persistent credentials, and move across applications with limited human supervision.

The Access Problem

AI systems have quietly gained entry to the crown jewels of enterprise infrastructure. According to the study, nearly three-quarters of security leaders acknowledge that AI tools hold access to mission-critical platforms. However, this access often materialized through organic adoption rather than formal provisioning processes. The disconnect between confirmed access and effective governance represents the core vulnerability identified in the research. Organizations unknowingly granted these systems permissions that would trigger immediate scrutiny if requested by human employees.

The Visibility Crisis

The inability to see what AI systems are doing within networks has become the defining challenge. With 92% lacking complete visibility into these identities, security teams are essentially flying blind. This gap extends beyond simple monitoring deficiencies. It represents a fundamental loss of control over systems that interact with sensitive data, execute transactions, and make decisions affecting business operations. The problem compounds when considering that traditional security tools were designed around human users with predictable behavior patterns, not autonomous agents operating 24/7.

The Shadow AI Problem

Three-quarters of surveyed organizations have stumbled upon unsanctioned AI tools already embedded in their environments. These discoveries typically occur by accident rather than through deliberate security auditing. Employees and departments deployed AI solutions to solve immediate business problems without routing requests through formal procurement or security channels. The result is a sprawling ecosystem of shadow AI that bypasses governance frameworks entirely.

The Confidence Gap

Perhaps most alarming is the pervasive doubt among security leaders about their incident response capabilities. When asked whether they could contain a compromised AI agent, only 5% expressed confidence. This near-total lack of preparedness suggests that organizations have not developed playbooks, tools, or procedures for handling scenarios where an AI system becomes a vector for attack or data theft. The implications are severe for scenarios involving credential compromise, prompt injection attacks, or unauthorized API calls.

Policy Enforcement Breakdown

The enforcement of formal access policies for AI identities remains virtually nonexistent, with 86% of organizations reporting they do not maintain such controls. This absence reflects both the newness of the challenge and the difficulty of retrofitting governance frameworks designed for human workflows onto machine identities. Without enforcement mechanisms, even well-intentioned policies exist only as aspirational statements rather than operational reality.

What This Means

According to Holger Schulze, founder of Cybersecurity Insiders, the problem has already moved beyond theoretical risk into present operational reality. "AI already has access to business-critical systems, often with more autonomy and less oversight than any security team would knowingly approve," he stated. Organizations without visibility into these accounts cannot claim to control their own environments. The research suggests that as AI continues integrating into workflows, security teams must fundamentally shift their approach toward continuous discovery, classification, and monitoring of machine identities to maintain any semblance of security posture.

Sources

• https://hackread.com/the-ungoverned-workforce-cybersecurity-insiders-finds-92-lack-visibility-into-ai-identities/

• https://www.linkedin.com/posts/cyber-news-live_the-ungoverned-workforce-cybersecurity-insiders-activity-7452524815405674496-Z4Wc

• https://finance.yahoo.com/sectors/technology/articles/ungoverned-workforce-cybersecurity-insiders-finds-142500065.html