AI identities expose gap in modern privileged access

Only a small minority of organisations have adopted modern, time-bound controls over highly sensitive accounts despite rising use of artificial intelligence and cloud services, according to new research from identity security firm CyberArk.

The study of 500 US professionals working in privileged access management, identity and infrastructure roles found that just 1% of organisations have fully implemented a Just-in-Time (JIT) model for privileged access. The model grants elevated rights only when needed and for limited periods.

In contrast, 91% of respondents said at least half of their privileged access remains “always-on”. That approach gives users and systems persistent entry to critical infrastructure and data. It reflects access patterns from earlier, less dynamic IT environments.

The findings highlight a gap between confidence in privileged access programmes and daily operational practice. CyberArk said 76% of organisations believe their privileged access management strategies are ready for AI, cloud and hybrid environments. The reported dependence on standing access suggests that many programmes still rely on legacy assumptions.

The report points to a growing role for AI agents and non-human identities such as machine accounts, service accounts and software bots. These identities often perform automated tasks against production systems and data.

Almost half of respondents, 45%, said they apply the same privileged access controls to AI agents as they do to human users. A third, 33%, said they do not have clear AI access policies in place. The combination indicates uneven treatment of machine and AI identities compared with human accounts.

CyberArk said these findings suggest that AI-driven identities are emerging as a new blind spot in privileged access strategies. The company argued that many organisations still anchor their controls around human administrators and ignore the expansion in machine-based access paths.

“Dynamic, evolving environments mean the nature of privileged access - and how to secure it - has fundamentally changed,” said Matt Cohen, CEO, CyberArk. “With only one percent of organisations having fully implemented a Just-in-Time access model, it's clear that industry-wide modernisation is overdue. As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity - and governing every privileged action - is now essential.”

The research also describes the spread of “shadow privilege”. The term covers unmanaged, unknown or unnecessary privileged accounts and secrets that accumulate across systems over time.

More than half of organisations, 54%, reported that they discover unmanaged privileged accounts and credentials every week. The pattern indicates that privilege sprawl has become a routine operational issue rather than an occasional clean-up task.

The study found that 88% of organisations use two or more identity security tools. Respondents linked this tool spread with fragmentation and blind spots. It often leaves security and operations teams without a single view of who or what has elevated access across disparate environments.

Traditional governance methods are also under pressure. Two-thirds of respondents, 66%, said periodic privileged access reviews delay projects. Nearly as many, 63%, admitted that employees bypass controls so they can move faster. The data suggests a tension between security requirements and delivery speed.

The organisations in the study reported that modernisation efforts are in progress. The low rate of full JIT adoption indicates that most remain in transition from static, role-based privilege models towards more dynamic controls.

CyberArk said one focus for organisations is reduction of standing privileges through risk-based access decisions. Another area is greater automation and orchestration of JIT workflows, especially for high-risk or sensitive actions that involve production systems or confidential data.

The firm also pointed to the need for consistent governance across human, machine and AI identities. That includes context-aware checks on what actions each identity can perform and under which conditions. It also includes simplification of overlapping identity platforms so that security teams can gain clearer visibility.

The research used responses from DevOps engineers, identity architects, security managers, database administrators, site reliability engineers, cloud security specialists, IT support staff and software engineers. These roles sit across decision-making, champion, influencer and end-user groups in organisations that manage privileged access for modern infrastructure.

“As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity - and governing every privileged action - is now essential,” said Cohen.