Id at scale, and uncontrolled
With agentic AI on the rise, the variety of nonhuman identities — bots, brokers, scripts, techniques — is exploding. Kelley famous there could already be 50 machine identities for each human one, and that quantity will develop as AI begins autonomously chaining duties throughout companies and environments.That type of scale makes conventional id governance unsustainable. AI will likely be essential to sustain, notably in entry evaluations, privilege scoring, and onboarding. However Kelley warned that including AI right into a damaged id basis will solely speed up danger.“You possibly can’t automate a damaged system,” she mentioned. “Repair it earlier than you scale it.”
The mirage of intelligence
The core of Kelley’s discuss was not anti-AI. It was anti-naivete. She known as on organizations to deal with AI as software program, not sorcery.Which means validating fashions, understanding inputs, documenting conduct, and monitoring outputs as you’d with any high-risk code. AI could really feel like a black field, however the penalties of misconfiguration are very actual. That is very true in id, the place belief is the forex.“Id has gotten actually sophisticated,” Kelley mentioned. “Even at a 150-person startup, it’s nothing prefer it was 20 years in the past. We want assist, however we’d like the correct of assist.”She additionally emphasised that pre-deployment testing isn’t sufficient. AI techniques have to be regularly evaluated after they go reside, as a result of their efficiency can drift as environments change.“Monitoring AI is simply as essential as testing it,” she mentioned. “The inputs shift, the info evolves, and the dangers don’t cease.”With out ongoing scrutiny, even the simplest mannequin can turn out to be inaccurate — or harmful — over time.
A better, safer path
Kelley was clear that AI does have a job to play. Its skill to deal with fuzzy knowledge, determine weak alerts, and enhance choice velocity might be transformative if applied responsibly.Used fastidiously, AI can remove low-value duties like guide consumer entry evaluations, dynamically set off step-up authentication, and scale back human bottlenecks in high-volume id operations.However Kelley urged transparency.“Inform your customers once you’re utilizing AI,” she mentioned. “Embody it in your accountable disclosure. Bake it into your privateness insurance policies. Belief begins with honesty.”She closed by reminding attendees that this isn’t about resisting innovation. It’s about constructing it proper.“AI isn’t magic. It’s math. And id is just too necessary to get mistaken.”
The adversary is already utilizing AI
Kelley additionally warned that whereas defenders debate governance frameworks and disclosure requirements, attackers are already fluent in AI. Risk actors are producing artificial identities, crafting phishing emails with language precision, and even utilizing deepfake voicemails to impersonate executives and bypass verification.“As soon as an artificial id is accepted into the system, it turns into a lot tougher to differentiate,” she mentioned.This underscores why verification on the entrance door stays essential. Organizations can not depend on behavioral analytics alone to detect fraud if the id has already been permitted.AI could ultimately assist shut these gaps, Kelley famous, however solely whether it is educated and monitored with the identical self-discipline defenders apply to code, infrastructure, and coverage. Something much less dangers accelerating the very threats we try to include.
