IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
359
#
Data Protection
#
DevOps
#
Hybrid Cloud

AI bots overwhelm identity controls in Australia & NZ

Tue, 14th Apr 2026
Author image
By Sofiah Nichole Salivio, News Editor

Security specialists warn that artificial intelligence and automation are overwhelming traditional identity management practices across Australian and New Zealand organisations. On World Identity Management Day, the rise of non-human identities has emerged as a central concern.

Industry figures say identity programmes designed around human users no longer reflect how enterprises operate. Machine accounts, software bots and AI agents now hold and exercise significant access rights inside corporate networks.

Semperis Principal Technologist Sean Deuby said the current focus on identity highlights problems that have existed in corporate IT for decades. In his view, concerns about AI stem from long-standing gaps in governance and basic account and permission hygiene.

Identity security has long lagged the pace of change in technology departments, particularly when teams prioritise rapid delivery of new services over managing access. Once created, accounts and groups often remain in place long after projects end or staff move on.

"The sixth Identity Management Day highlights the evolving nature of identity," Deuby said. "The meteoric rise of AI in general and its impact on nonhuman identities (NHIs) has focused attention on identity security as never before. But in the long view, it simply highlights the same issues we have seen in identity management since it was called 'identity management.' And discovery has always been a part of it."

He described a familiar pattern in IT teams: creating new access is far easier than removing redundant accounts. Project teams often request new groups, service accounts and elevated permissions in the name of efficiency.

"Enabling the business has always been the priority for IT. Managing the identity pieces you have created for the business has not, because it does not directly benefit the business. Do you need this group created, populated, and added to an application? Sure. Do you need this service account immediately? Right away. Let's give it some extra privileges because we know we will not have to troubleshoot permission problems in the future," Deuby said.

By contrast, revoking access when it is no longer needed is far less common. In organisations without strong regulatory pressure, identity governance tools are still adopted unevenly.

"But ask yourself: how often have you seen 'Please remove this account because we're not using it anymore'? Rarely. Unless you're a regulated business, identity governance and administration (IGA) is usually an afterthought. This has been the reality of IT as long as there's been IT," Deuby said.

He likened basic governance work to an unglamorous but necessary discipline that many organisations still neglect. Legacy systems such as Active Directory often carry years of accumulated accounts and entitlements.

"I lump this into the identity security category I call 'eat your vegetables': you know it's good for you, but you don't do it enough. Even after 26 years of general availability, identity governance is far from a given in Active Directory environments, especially smaller ones," Deuby said.

That long build-up is now colliding with a steep rise in non-human identities. In many organisations, automated accounts and service IDs outnumber human users and often hold broad rights.

"Since identity systems such as Active Directory have very long lifespans, these daily decisions accumulate over years or decades of production. Organisations find they have thousands or tens of thousands of under-regulated NHIs (we call them service accounts on premises). This is one of many reasons identity systems are a favourite target of threat actors; they know very well these NHIs are overprivileged, underprotected, and neglected," Deuby said.

He argued that cloud adoption and AI development have intensified the problem. Self-service infrastructure, rapid deployment cycles and experimental AI projects often depend on quickly creating keys and service accounts.

"Take these same factors, surround them with the tinder of cloud services' ease of use, pour the gasoline of AI onto it, and give developers the match. That's the dumpster fire we're looking at today, with NHIs outpacing human identities at what seems like a geometric progression. We're right to be concerned," Deuby said.

Deuby called for immediate action to improve oversight and visibility, starting with a clear inventory of existing machine and service accounts.

"How does 'finding identity' fit into this? We can't just wring our hands about the situation; we need to take steps immediately. We must put controls in place as soon as possible. And we must discover what's already out there, using any tools we have, so we know the scope. You don't know the size of your dumpster fire until you've looked," Deuby said.

Others in the sector argue that the answer lies in moving from static identity models to more adaptive approaches. Organisations in Australia and New Zealand face regulatory and financial exposure when they rely on periodic reviews of user access.

Nam Lam, Group Vice President for Australia and New Zealand at SailPoint, said many enterprises still treat identity as a fixed control. That approach, he said, clashes with rapidly changing workforces and application footprints spanning thousands of services.

"World Identity Management Day is a moment to ask an honest question. Is the way we think about identity keeping pace with the world we are actually operating in?" Lam said. "For most organisations, the answer is no. Identity security has traditionally been treated as a static discipline. You grant access, you review it periodically, and you hope nothing changes too dramatically in between. But the enterprise of 2026 is anything but static. Workforces shift constantly and applications multiply into the thousands. AI agents are proliferating across business units at a pace that outstrips any governance programme built for the human era."

Lam said this lag has created a widening gap between perceived control and actual conditions inside identity platforms, with real consequences in local markets.

"The result is a growing gap between what organisations think they have under control and what is actually happening across their identity landscape. In Australia and New Zealand, that gap carries real regulatory, financial, and reputational consequence," Lam said.

He also argued that conventional definitions of privileged access no longer reflect where the greatest risks sit. Automation and AI agents acting on data now occupy many critical roles.

"Part of the problem is how we still define risk. In the past, privileged access belonged to a select few. Today, a payroll bot approving salary runs or a junior analyst with API access to sensitive data can each trigger significant impact. Risk no longer lives in job titles. It lives in context, and that is precisely what static governance was never designed to read," Lam said.

Lam advocates an adaptive identity security model that evaluates access in real time. He linked this approach to zero trust strategies, which many organisations have adopted in principle but still struggle to operationalise.

"What this day should prompt is a shift in mindset to embrace an adaptive identity security model. Static controls tell you who had access last year. Adaptive identity security tells you whether the access being requested right now, in this context, by this identity, at this hour, makes sense and acts accordingly. It is also the layer that makes zero trust work in practice. Many Australian organisations have embraced zero trust in principle but struggle to operationalise it, because architecture alone cannot enforce least privilege dynamically. Adaptive identity security provides that enforcement," Lam said.

He cited SailPoint research suggesting AI agents are already widely used without matching oversight. Many of the machine identities behind those agents have no clear owner.

"SailPoint's own research makes the urgency clear. 82% of enterprises are already using AI agents, yet fewer than half have governance policies to manage them. 75% of machine identities have no designated owner. Each one represents an access pathway that nobody is watching," Lam said.

Lam said the technology to address the problem is already available, including tools that score risk in real time, tighten access windows and monitor entitlements across both human and non-human users.

"The tools to address this exist today. Real-time risk scoring, just-in-time access, continuous authorisation, and unified visibility across human and non-human identities are well within reach, and the organisations investing in them are moving faster, complying more confidently, and recovering more quickly when threats materialise. Identity security is not a control function. It is the foundation on which a secure, resilient, and agile enterprise is built. World Identity Management Day is a prompt to treat it that way," Lam said.

Vendors focused on cloud security report similar patterns in their customer base, saying the fastest-growing volume of identities now comes from systems rather than staff.

"Identity management was built for people, but today, the busiest users in your network aren't human. We are seeing an explosion of non-human identities-from simple automation scripts to autonomous AI agents, all interacting with sensitive data at a velocity no human could match." James Ross, Regional Vice President ANZ, Saviynt.

"The friction lies in how these entities behave. They don't take breaks, they make independent decisions, and they usually ship with broad permissions by design. Yet most teams are still trying to force these machine behaviours into security frameworks designed for a 9-to-5 workforce."

"Identity can't just be a compliance checkbox anymore; it has to be the principal system for governance and enforcement point. Organisations that recognise this shift will be able to deploy AI safely. Those that don't are essentially handing the keys to a fleet of autonomous actors they can't see, let alone stop," Ross said.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Dropbox launches three apps inside ChatGPT for work

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment