AI agents, copilots, and automated workflows are creating new pressure on identity security. Before organizations give AI systems more access, security teams need to know which identities, credentials, privileges, certificates, and sessions are already in use. Based on a recent RSAC 2026 podcast conversation with Joseph Carson and Edu Pereira, this article explains how CISOs, IAM leaders, and security teams can strengthen access control, PAM, identity management, and audit readiness before scaling agentic AI.
AI Adoption Should Start With Identity Security
A developer asks an AI copilot to help fix a production issue. An operations team uses an AI agent to trigger a workflow. A support team connects automation to a customer system. A security analyst relies on a chat interface to pull logs, check access, or start a response process.
The interface looks different now. The work may start in a prompt instead of a console. But the security problem is still familiar.
Every action still depends on an identity, a credential, a privilege, and a system that allows the work to happen.
That is why AI adoption creates a practical identity security question for CISOs, IAM leaders, and security teams: before the organization gives AI systems more access, can it see and control the access already in place?
In a special RSAC 2026 podcast episode, Joseph Carson, Advisory CISO and Chief Evangelist at Segura®, joined Edu Pereira, Segura®’s North American Regional Sales Director, to discuss what organizations need to get right before scaling AI and agentic AI across the enterprise.
Their conversation focused on a problem security teams are already starting to face. AI agents, service accounts, and automated processes are acting across more systems, using more credentials, and touching more workflows.
That makes privileged access, machine identities, session visibility, certificate management, and credential control harder to treat as separate problems. If identities are unmanaged, credentials are exposed, privileges are excessive, or sessions are hard to review, automation can carry those issues into more places.
Before AI becomes another layer of privileged activity, security teams need a better handle on the access behind it.
AI Agents Create New Identity and Access Risks
AI is showing up across cybersecurity, from detection and response to copilots, automated workflows, and agentic operations.
For security leaders, the buying conversation should stay grounded in access. An AI tool may look impressive in a demo, but the operational risk shows up later: which systems it can reach, which credentials it uses, which actions it can trigger, and what record exists after it runs.
AI agents can interact with systems, call APIs, trigger workflows, use credentials, and act on behalf of users or processes. In day-to-day security terms, they behave like identities. They need owners, limits, monitoring, and activity records.
Security teams already know this problem from:
- Service accounts
- Scripts
- Bots
- Workloads
- CI/CD pipelines
- API keys
- SSH keys
- Certificates
- Other non-human identities
AI adds another category to an access problem many teams are still trying to clean up.
Deloitte predicted that 25% of companies using generative AI would launch agentic AI pilots or proofs of concept in 2025, increasing to 50% by 2027.
For many teams, AI agents will not arrive as one neat, approved program. They may show up first inside developer tools, SaaS platforms, IT workflows, support processes, and cloud operations.
One team may test an agent to speed up troubleshooting. Another may connect a copilot to a ticketing workflow. Another may use automation to make infrastructure changes faster.
Each use case needs clear ownership, defined permissions, credential control, and activity review before it becomes part of daily operations.
AI Can Carry Existing Access Risks Into New Workflows
AI can help teams move faster across development, operations, support, security, and business workflows. Fast work becomes risky when access is messy underneath.
Picture an AI agent using a service account to complete a routine task. If that service account has more access than it needs, the agent inherits the same excessive permissions. If no one owns the account, no one may notice when permissions drift. If the session is not monitored, the team may not have a clear record of what changed.
The same issue can happen when a secret lands in a prompt, script, pipeline, repository, or execution log.
GitGuardian reported 28.65 million new hardcoded secrets in public GitHub commits in 2025. It also reported an 81% increase in AI-service leaks. That is a strong warning sign for teams expanding AI-assisted development or agentic workflows.
As AI touches more systems, identity security has to make access visible, limit excessive permissions, protect credentials, and preserve a clear record of privileged activity.
Detection still matters. Security teams still need to spot suspicious behavior, unusual access, and risky activity. But AI-generated content can make old signals harder to trust. A message may look normal. A request may sound right. A workflow may appear routine.
Identity security gives teams a second layer of protection when something gets through. It limits what the identity can do, records what happened, and gives the team evidence to review.
Before Scaling AI, Strengthen Identity Security Basics
Before AI expands access, security teams need to know the basics are actually under control.
Security teams still need control over:
- Endpoints
- Identities
- Privileged access
- Certificates
- Credentials
- Non-human identities
Many organizations still rely on manual processes or fragile controls for critical security work.
Certificates may live in spreadsheets. Privileged access may rely on shared accounts, standing permissions, default credentials, or weak passwords. Service accounts may have more access than they need. Sessions may not be recorded clearly enough to support an audit or investigation.
An AI agent using an over-permissioned service account can move that access into more workflows. A process that depends on unmanaged credentials can spread risk across more systems. An expired certificate can still break a critical application, whether the workflow around it is manual or AI-assisted.
Certificate management is also becoming more operationally demanding. Public TLS certificate validity is moving toward a 47-day maximum in 2029 under CA/Browser Forum baseline requirements. For teams still tracking certificates manually, that means more renewals, tighter timelines, and less room for missed ownership.
AI readiness starts with security work that can hold up in daily operations: clear identity ownership, protected credentials, controlled privileged access, endpoint security, certificate lifecycle management, session visibility, and audit-ready evidence.
AI Agents Need the Same Access Controls as Service Accounts
Security teams should treat AI agent access like privileged activity, with a business purpose, an owner, a review cycle, and a clear removal path when it’s no longer needed.
Just-in-time access can reduce standing privileges. Least privilege can keep users, systems, and agents from reaching more than they need. Session monitoring can show what happened during privileged activity. Credential and certificate management can help prevent exposed secrets, expired certificates, and unmanaged access paths.
These problems are not new. Security teams have dealt with excessive privileges, unauthorized access, identity sprawl, unmanaged credentials, and accounts no one fully owns for years.
AI agents add another version of the same mess.
If teams don’t define ownership, permissions, and review cycles early, agent sprawl can become the next identity sprawl. The fix starts with the same discipline security teams already use for human users, service accounts, workloads, and other non-human identities.
Legacy PAM Tools and Tool Sprawl Slow Down Access Control
Security teams already have enough work to do without chasing access across disconnected tools.
Legacy systems can slow that work down. If a PAM implementation takes months or years, the business stays exposed while the team waits for value. If the tool needs too many servers, too much manual work, or too many specialists to maintain, it becomes harder to keep privileged access under control.
Point solutions can create another kind of drag. Separate tools for privileged access, credentials, certificates, machine identities, remote access, and session monitoring often mean more consoles, more policies, and more places to pull evidence during audits or investigations.
Security teams shouldn’t need a new tool every time a new type of identity appears.
As AI agents, service accounts, workloads, and automations become part of daily operations, access management has to get easier to run. PAM, credential rotation, session recording, certificate management, and secure remote access should work together instead of creating another layer of operational work.
The platform also has to support new use cases without long projects, heavy customization, or another tool purchase.
For the team doing the work, the impact is easy to see:
- Risky access takes too long to find
- Credential rotation depends on chasing owners across teams
- Audit evidence has to be built by hand
- Adding a new identity type becomes another implementation project
Those are the operational challenges a unified access management approach should help reduce.
Identity Management Must Work Across Hybrid and Multi-Cloud Environments
Most organizations don’t operate in one clean environment.
They have on-premises systems, data centers, cloud infrastructure, SaaS applications, remote users, service accounts, workloads, and automation spread across different teams.
Access control has to match that reality.
Security teams need consistent identity management across hybrid and multi-cloud environments, with controls for privileged access, credentials, sessions, certificates, and non-human identities. They also need an architecture that supports cloud security without requiring too many servers, too many components, or too much manual effort to keep running.
When AI agents and automated workflows start touching more systems, fragmented access management becomes harder to explain, audit, and control.
A strong identity security platform should help teams assign identities, set limits, rotate credentials, record sessions, manage certificates, and keep usable evidence across the environments they already have.
The best tools are the ones teams can deploy quickly, adjust as needs change, and actually use without adding more complexity.
Faster PAM Deployment Helps Reduce Privileged Access Risk
A PAM platform starts delivering value when it is deployed and protecting privileged access in the environment.
When implementation takes months, the same access issues remain open:
- Shared accounts remain in use
- Passwords still need rotation
- Privileged sessions still need to be recorded
- Certificates still need to be tracked
- Remote access still needs tighter control
Implementation speed affects how quickly the organization can reduce risk, support compliance, and gain visibility into privileged activity.
Long projects also consume time, budget, and internal resources. If a platform requires too many servers, too many components, or too many specialists to maintain, the team may spend more time managing the tool than improving security.
A faster implementation helps teams get core controls in place sooner. A lighter architecture helps them keep those controls running without turning identity security into another long internal project.
That becomes important as automation expands. Security teams need to close existing access issues before AI creates more activity to govern.
AI Access Readiness Checklist for Security Teams
Before expanding AI agents, copilots, or automated workflows, security teams should pressure-test the access layer behind them.
Use this checklist to find issues that could slow down AI adoption or increase risk.
8. Platform Flexibility - Can you support new AI-related use cases without adding another disconnected tool?
7. Audit Readiness - Can you quickly produce evidence for audits, investigations, cyber insurance reviews, or compliance requests?
6. Session Monitoring and Activity Review - Can you monitor privileged sessions and review risky commands, approvals, denials, blocked attempts, and access changes?
5. Privileged Access Controls - Can you enforce just-in-time access, least privilege, and MFA for privileged activity?
4. Credential and Secrets Protection - Can you securely manage and rotate passwords, secrets, SSH keys, API keys, and certificates while preventing exposure in repositories, pipelines, scripts, and logs?
3. Excessive Privileges - Can you identify standing privileges, excessive permissions, shared accounts, and orphaned accounts?
2. Access Visibility - Can you see what each identity can access across on-premises, cloud, SaaS, and hybrid environments?
1. Identity Inventory and Ownership - Can you inventory human users, service accounts, machine identities, workloads, automations, and AI agents, and assign clear ownership for each?
If several answers are unclear, the organization may need to fix the access layer before giving AI systems more reach.
Build an Identity Security Foundation Before Scaling Agentic AI
The conversation between Joseph Carson and Edu Pereira points to a clear takeaway: AI makes weak access controls harder to ignore.
Teams move faster when they can see, control, and prove privileged access. Manual processes, exposed credentials, unmanaged certificates, and incomplete PAM implementations become harder to manage as automation expands.
How Segura® Helps Secure AI Access and Privileged Activity
Segura® helps organizations address those challenges with a unified Privileged Access Management (PAM) platform built to control and monitor privileged activity across users, systems, and environments.
With Segura® PAM, security teams can manage:
- Credentials and passwords
- Privileged access
- Session recording
- Digital certificates
- Multifactor authentication
- Secure remote access
- Non-human identities
- Machine identities
- Access risks around agent identities
Segura® combines agile deployment, a reduced footprint, and support for on-premises, cloud, and hybrid environments, so security teams can put identity security controls in place without adding unnecessary complexity.
If your team is preparing for AI agents, automated workflows, or broader AI adoption, now is the time to review the access layer behind it.
Schedule a demo to see how Segura® can help your organization control privileged access, strengthen identity security, and prepare for AI-driven operations.
