AI is not breaking cybersecurity. Weak identity controls are. AI just makes the consequences faster, cheaper, and harder to ignore.
Right now, too many security strategies are being reshaped around AI threats while the same organisations still run fragile identity and access management systems. This is backwards. Attackers are not winning because of AI. They are winning because identity remains the softest point in most environments.
This article pushes back on the hype and focuses on what actually fails during real incidents. It also lays out the practical IAM controls CISOs and CTOs should be fixing right now.
AI didn’t create the problem. It exposed it.
Most major breaches over the last few years did not start with advanced AI tooling. They started with:
- Stolen credentials
- Over-privileged accounts
- Weak MFA
- Legacy authentication protocols
- Poor visibility into identity behaviour
AI helps attackers scale these weaknesses. It does not replace them.
Phishing is a good example. AI makes phishing emails more convincing and more targeted. But phishing only works when identity controls fail afterwards. If MFA is weak, session tokens can be reused, or privileged access is poorly governed, the attacker still gets in.
If your identity stack is strong, AI-assisted phishing is mostly noise.
Identity is the control plane. Most organisations treat it like plumbing.
Modern environments are identity first whether they admit it or not.
Cloud services, SaaS platforms, APIs, DevOps pipelines, remote work, and third-party access all depend on identity. Firewalls and network boundaries matter far less than they used to. Identity decides who can do what, from where, and under which conditions.
Yet identity is still often treated as a background IT function rather than a security system.
Common symptoms:
- IAM owned by IT, not security
- Privileged access reviewed once a year for audit purposes
- MFA deployed inconsistently
- Service accounts poorly understood
- Identity logs collected but not analysed
This is not an AI problem. This is governance and design failure.
How AI actually amplifies weak IAM
AI does three things well for attackers:
- Speed: Credential harvesting, password spraying, and social engineering scale faster.
- Precision: Targeted phishing and business email compromise become more believable.
- Automation: Identity abuse can be chained together with less human effort.
None of these work if identity controls are solid.
AI does not magically bypass strong MFA. It does not invent privileges that do not exist. It does not fix poor segmentation for attackers. It exploits what is already broken.
When CISOs blame AI, they often avoid a harder truth. Their identity foundation was already weak.
The real risks CISOs should be worried about
If you want to reduce real risk, focus here.
Over-privileged users everywhere
Most environments have far too many users with excessive access. This includes:
- Permanent admin rights
- Shared privileged accounts
- Developers with production access
- Third parties with standing permissions
Attackers do not need zero-days when one compromised user can already do too much.
Least privilege is still poorly implemented because it is operationally inconvenient. That inconvenience is now being paid for in incidents.
MFA that looks good on paper but fails in practice
Many organisations claim “MFA everywhere”. The reality is different.
Common gaps include:
- SMS-based MFA still in use
- MFA not enforced for legacy protocols
- MFA excluded for service accounts
- MFA not required for privileged actions
- MFA fatigue attacks not mitigated
MFA is not a checkbox. It is a control that needs constant tuning.
Legacy authentication protocols quietly undermining everything
Older protocols exist to support older systems. They also bypass modern controls.
If NTLM, basic authentication, or legacy SMTP auth are still enabled, attackers will find them. AI makes discovery faster, not smarter.
If you cannot disable legacy auth, you should assume compromise is only a matter of time.
Service accounts and non-human identities out of control
Non-human identities now outnumber human ones in many environments.
These include:
- API keys
- Tokens
- Service principals
- Automation accounts
They often have excessive permissions, no expiry, and little monitoring. They are rarely rotated and almost never reviewed properly.
AI helps attackers enumerate and abuse these at scale.
No visibility into identity behaviour
Logs alone are not visibility.
Most organisations collect sign-in logs but do little with them. Risky sign-ins, impossible travel, token reuse, and unusual privilege use are often missed or ignored.
Without behavioural monitoring, identity attacks blend in with normal activity.
Why “AI security” products are not the answer
Many vendors are now selling “AI-powered identity security”. Some are useful. Many are not.
Common problems:
- AI layered on top of broken IAM design
- Detection without authority to enforce controls
- Yet another dashboard without operational change
- Expensive tooling replacing basic hygiene
AI cannot compensate for poor architecture. If identity is fragmented across systems, no amount of AI will magically correlate risk.
Fixing fundamentals delivers more risk reduction than buying another AI tool.
Practical IAM controls CISOs should fix now
This is where effort should go. None of this is new. Most of it is still not done well.
Enforce strong MFA everywhere it matters
That means:
- Phishing-resistant MFA for privileged users
- Conditional access based on risk, device, and location
- Blocking legacy authentication completely
- MFA required for sensitive actions, not just login
If MFA exceptions exist, document them and treat them as risk.
Remove standing privilege
Privileged access should be:
- Time-bound
- Just-in-time
- Logged and reviewed
Permanent admin access is a breach waiting to happen. Attackers love environments where compromise equals control.
Clean up service accounts and non-human identities
Do the unglamorous work:
- Inventory all non-human identities
- Remove unused accounts
- Scope permissions tightly
- Rotate secrets automatically
- Monitor usage patterns
This reduces blast radius dramatically.
Treat identity logs as security telemetry, not audit evidence
Identity events should feed detection and response workflows.
That includes:
- High-risk sign-ins
- Privilege escalation
- Token abuse
- New credential creation
- Unusual API usage
If your SOC does not actively monitor identity, it is blind to most modern attacks.
Make identity a security ownership problem
IAM cannot sit solely with IT operations.
Security must define:
- Access models
- Risk thresholds
- Control exceptions
- Monitoring requirements
Without security ownership, identity remains reactive and fragmented.
What boards and executives need to hear
Boards are being told AI is the next existential cyber threat. That message is incomplete.
The real message should be:
- AI increases the impact of existing weaknesses
- Identity failures cause most serious breaches
- Fixing IAM reduces risk faster than chasing hype
This is easier to explain in business terms. Identity failures lead directly to financial loss, regulatory exposure, and operational disruption. AI is just an accelerant.
The uncomfortable conclusion
If AI disappeared tomorrow, most organisations would still be breached. That should be a sobering thought.
Strong identity controls are boring. They are hard. They require coordination, discipline, and ongoing effort. They do not make for exciting conference talks.
They also work.
CISOs who want to materially reduce risk in the next 12 to 18 months should stop treating AI as the main problem. They should treat it as a stress test.
If your identity foundation cannot withstand AI-enabled attackers, the problem is not AI. It is your IAM programme.
Fix that first. Everything else builds on it.