As a Principal Technologist with 26 years in the field, I have seen this pattern too many times. A new threat shows up, the industry scrambles for control, and the conversation collapses into patching, scanning, and dashboards. It looks productive because it is measurable. That does not mean it is solving the real problem.
That is exactly what I see happening with AI security. The new executive order gets one thing right. Advanced AI is a national security issue. But once you get past the headline, the response falls back into the usual playbook. Harden systems. Scan for vulnerabilities. Patch faster.
Those things matter. But in AI-enabled environments, the bigger issue is valid access being abused through weak identity controls and overprivileged non‑human accounts.
You are not going to patch your way out of an identity-driven security crisis.
Recent advances make this harder to ignore. Claude Mythos showed that frontier models can autonomously discover and exploit vulnerabilities at scale. MOAK is trying to prove that public models are already enough to weaponize known exploited vulnerabilities in minutes. Even if MOAK still needs broader validation, the direction is obvious. The old assumption that defenders have a comfortable patch window is breaking down fast.
AI systems do not stand on their own. They sit on top of identity platforms, APIs, service principals, automation pipelines, and data access layers. Identity is the control plane for AI security.
The control plane is already exposed
The old model assumes attackers get in by exploiting an unpatched system. That still happens, but it is no longer the main story in many environments. Microsoft says it sees more than 600 million identity attacks every day, and more than 99 percent still target passwords. That should tell us where the pressure really is.
Too much of the AI security conversation still focuses on model safety, infrastructure hardening, and vulnerability management while glossing over the real questions: who has access, what those identities can do, and how fast abuse would be caught.
A recent example is Microsoft Entra ID in April 2026. A flaw in the Agent ID Administrator role allowed ownership and credential injection on arbitrary service principals, enabling full takeover, including identities with high-impact permissions, until Microsoft fixed it on April 9th.
The real lesson is not the patch. It is how much privilege these new AI-era primitives already carry when governance and scoping are weak.
Patched doesn’t mean protected
Make it practical. An organization deploys an internal AI assistant connected to SharePoint, Teams, ticketing data, and line-of-business systems. It runs under a service principal with broad read access and a few write actions for automation. The environment is patched. The dashboards look clean.
Now steal that identity through token theft, stolen credentials, or a misused secret. The attacker does not need to break anything. They can use the access that already exists to pull sensitive data, map relationships across systems, summarize internal content at scale, and automate actions. Nothing is broken, so patching does not save you. The control plane was already exposed.
That is why I do not see the core AI security problem as a software flaw problem first. I see it as an access problem. When I bring this up at conferences, identity still often feels like an afterthought. But overprivileged identities, standing permissions, weak scoping, poor monitoring, and slow response are what turn modern environments into easy targets. You do not patch those conditions away. You govern them.
IBM’s breach data shows the same pattern. Breaches involving compromised credentials have cost about $4.81 million on average and taken 292 days to identify and contain. That is identity abuse living too long inside the environment.
This is why non-human identity security matters so much now. AI agents, apps, automations, and service principals are no longer edge cases. They are part of the operating fabric. If they hold broad standing access and nobody is watching them closely, the attack surface grows with every new integration.
What needs to change
Better patching and hardening are still table stakes. But they cannot be the centerpiece of the AI security strategy. Identity governance has to become a primary control, especially for non-human identities. That means least privilege for service principals and agents, tighter control over credential creation and ownership changes, continuous monitoring for abnormal access, and response built around identity abuse, not just malware.
Policy also needs to catch up. If AI is part of the national security conversation, identity control around AI deployments should be treated as foundational. Who can create these identities? Who can grant them access? Who can change their credentials? How fast would anyone know if they started behaving abnormally?
AI is not creating a completely new security problem. It is amplifying one we have under-governed for too long. The organizations that get this right will stop thinking only in patch cycles and start treating identity control, workload access, and response speed as the real battleground for AI security. That is where this will be won or lost.
h3
h3
hello
call out
h3
h2
hello
| hello | hello | hello |
| hello | hello | hello |
| hello | hello | hello |
| hello | hello | hello |
| hello | hello | hello |
| hello | hello | hello |
h2
hello
h3
hello
h3
hello
h3
hello
callout
h2
h3
callout
h3
Key Takeaways
FAQs
No. Patching and hardening are table stakes, but in AI-enabled environments, the larger exposure is valid access being abused through weak identity controls and overprivileged non-human accounts. The core issue is who and what has access, what those identities can do, and how fast abuse would be detected.
Non-human identities are the service principals, AI agents, apps, and automation accounts that AI systems run on. They increasingly hold broad standing access across systems like SharePoint, Teams, and line-of-business tools. If they are overprivileged and unmonitored, the attack surface grows with every new integration, which is why governing them is now central to AI security.
Yes. If an attacker steals an identity through token theft, stolen credentials, or a misused secret, they use access that already exists. Nothing has to be broken, so patching does not stop them. They can pull sensitive data, map systems, and automate actions while dashboards still look clean.
They compromise the credential rather than the code. Microsoft reports more than 600 million identity attacks daily, over 99 percent of them targeting passwords. Once an AI agent’s identity is taken, its standing permissions become the attacker’s permissions. IBM’s data puts credential-based breaches at about 4.81 million dollars on average and 292 days to identify and contain.
Make identity governance a primary control, especially for non-human identities. That means least privilege for service principals and agents, tighter control over credential creation and ownership changes, continuous monitoring for abnormal access, and incident response built around identity abuse rather than only malware.
See Cayosoft in Action
Cayosoft is recognized by Gartner as an ITDR solution provider and provides solutions that make identities more resilient to attacks and guarantee a fast forest recovery, if needed. Learn how Cayosoft Guardian facilitates granular change tracking, post-breach analysis, and long-term AD security improvements. Schedule a demo to see the capabilities in depth.