Exclusive: BeyondTrust CTO warns of AI identity risks
When it comes to cyber threats, identity is the new perimeter.
According to James Maude, Field Chief Technology Officer (FCTO) at identity security company BeyondTrust, attackers today no longer need to break in. Instead, they're logging in - with stolen or misconfigured identities that offer them exactly the access they want.
"Attackers no longer need to hack in to compromise an organisation," Maude told TechDay in an exclusive interview.
"They just need to compromise the right identity with the right level of privilege and access - and they can simply log into a cloud system and access data, access systems and have the impact they want."
Speaking from Melbourne ahead of his appearance at CyberCon, Maude laid out how identity security has become the top concern in modern cyber defence - especially in hybrid and cloud-first environments where the traditional network perimeter has all but vanished.
"Twenty years ago, we thought about the network as the perimeter," he explained. "Then we shifted to thinking about endpoints and applications. Now, we're in the age where identity is the new battleground."
And in this new battleground, organisations are not only managing human users but an exploding number of non-human ones - most notably, AI agents. These agents, designed to improve productivity and automate tasks, are being granted dangerous levels of access without the proper controls or oversight.
"In some of the most extreme cases, they're being given full global administrator privileges," Maude said. "That's highly privileged access, and organisations often have no idea it's happening."
He explained that many of these agentic AI identities are created automatically when users interact with low or no-code platforms, such as Microsoft Copilot, Salesforce, or ServiceNow. "A user might just say to Copilot, 'Can you monitor my emails?' and in the background, an AI identity is created to do that. Organisations don't even know it's there."
Maude revealed that around 60 percent of companies using BeyondTrust's new Identity Security Insights tool had some form of Microsoft-based AI agent already active. In some cases, these businesses had over 1,000 agentic AI identities operating under the radar.
"That's a huge risk if that level of privilege and access is there 24/7, and it's been configured without any operational oversight," he said. "You wouldn't allow a user to do that, but we often forget those lessons when it comes to AI."
The problem, according to Maude, is compounded by the way many organisations still manage their environments: in silos. Identity, endpoint, cloud, and Active Directory teams are often separated, and that's where attackers find the gaps.
"Often people are structured around the old ways of thinking," he said. "Where these silos form, there's gaps in visibility. Attackers can compromise the right identity and jump between silos using misconfigurations that go unnoticed."
He cited a common example: an organisation might secure its domain administrator accounts in a vault, limiting their use to when absolutely necessary. But if Active Directory - the infrastructure underpinning those accounts - is misconfigured, then even a standard user could potentially escalate to domain admin.
"That completely undermines all the effort and investment you've made into securing those accounts," Maude warned. "You've got to take a holistic view of identity."
He said that organisations often assume a user is low risk because their Active Directory account is unprivileged - but fail to consider the cloud applications, SaaS platforms, and SSO connections tied to that account.
"You could look at me as a user and say I'm standard," he said. "But that same account is used to log into the SSO solution, which gives me access to 20 different cloud apps. Some of those might have a significant level of privilege. It's very hard to see that without the right tools."
When asked what organisations can do to reduce identity risk, Maude said the first step is simple: visibility.
"A lot of companies are aware of the challenges. They just don't know where to begin," he said. "The first step is a risk assessment. Let's get a holistic view of what your identity landscape looks like today."
BeyondTrust offers complimentary Identity Security Risk Assessments to help organisations understand their privilege landscape, misconfigurations, and the most likely paths an attacker might exploit.
"Organisations are often reacting and firefighting in the wrong areas," Maude said. "They might spend a lot of time and money securing one part of the environment, but that's not where the biggest risk is."
He also stressed the need for AI-driven tools that can analyse identity data in the way attackers do - looking for hidden relationships and connections across systems.
"You can't do this with spreadsheets. You need tools that can think in graphs," he said. "AI and machine learning are perfect for this. They can map out the privilege paths, understand the data, and surface the biggest risks."
Despite the hype around AI, Maude reminded that AI identities are still identities - and should be treated accordingly.
"AI is a little bit the old new thing," he said. "We already know what the best practices are. Least privilege, just-in-time access, secrets rotation. Those same principles should apply to AI agents."
He pointed out that organisations would never allow a user to create ten new privileged accounts without oversight - yet they often allow AI to do exactly that through automation and convenience.
"Let's be honest, users aren't asking for permission to do this," he said. "They're just going to do it because it makes their lives easier."