Identity and AI Threats: Developing an Access Management Defence-in-Depth Strategy

In a matter of months, AI became a tool relied on for daily critical tasks. Now, we are seeing it used just as easily to attack systems, deceive users, or even manipulate data. While full capabilities are still being explored, the most significant threats posed by AI are yet unknown. Even without knowing exactly what's coming, organizations can take meaningful steps now and develop identity security strategies to defend against AI-driven threats to avoid being an easy target.

Suggestion 1: Start with the basics

In the face of unknown AI-driven threats, one of the best places to start is with an identity security strategy that addresses the fundamentals.

When it comes to identity and access management, solutions that offer 'Preemptive Defense' (a term coined by Gartner) allow detection and protection before a user even authenticates to your systems. Think IP reputation checks, web application firewalls, machine learning-based risk scoring, user policies and app policies. Risky behavior is flagged early, and authentication requirements are adjusted to block high risk attempts outright. Other attempts may trigger more stringent authentication challenges to reduce risk, while allowing legitimate users access.

Watch the on-demand webcast on AI-powered identities:

• Examine how AI is reshaping identity access management (IAM) — and where the real risks lie
• Uncover the security challenges posed by deep fakes, data manipulation, and AI-driven attacks
• Learn how to separate hype from reality when applying AI in identity solutions like NLP and CoPilot
• Discover how AI can still enhance reliability and risk detection when implemented responsibly

Suggestion 2: AI Phishing is getting smarter. Adjust authentication to be smarter too.

AI-driven phishing attacks are getting more convincing, can better replicate human behavior and bypass existing phishing-detection mechanisms. Context-based authentication challenges paired with multiple authentication types are key defenses.

Context-based authentication can be used to adjust the choice of authentication option in response to detected risk levels, but should also be based on the resource being accessed. This can be controlled through application policies which take into account the application being accessed, the level of access the user has within that application, and the dynamic risk score of the authentication request. Within an application this can be achieved through step-up authentication controls.

Multiple authentication options allow organizations to reduce the risk of compromise. From simple One-Time-Password (OTP) variations, to FIDO2 passkeys, to ID-Verification flows, an attack would need to bypass multiple authentication types to gain meaningful access through lateral movement or elevated access. For extremely sensitive access, consider leveraging two or more ID-verification solutions.

Suggestion 3: Resist session hijacking with step-up authentication

With session hijacking bad actors can steal session-related details and bypass the need to authenticate. Expect to see AI used to lure users into actions which lead to the harvesting of crucial information and session cookies.

Consider implementing step-up authentication controls when users access applications with sensitive information. Additionally, enforce the use of phishing-resistant factors to prevent lateral movement should a bad actor gain access to an SSO session. Remember to enforce MFA challenges for users accessing their IDP profile to prevent a bad actor from registering new authentication factors.

Suggestion 4: Bring shadow AI out of the shadows

Even with strict AI usage policies in place, there is very little organizations can do to prevent or detect their employees, contractors and partners from using AI. They may be using chatbots on personal devices, and copying and pasting the results into work documents. It's difficult to track, and even harder to stop.

Currently, the most effective approach to limit shadow AI is the same approach used to limit shadow IT: make it easy for departments and individuals to request and gain access to applications. With Shadow IT, streamlined procurement processes and a rapid integration into a corporate SSO portal gives users very little reason to bypass official processes.

The equivalent for shadow AI usage would be to provide employees access to a corporate-controlled service. This provides organizations oversight over its usage, and offers the ability to retain the history and learning it generates, with no loss when an employee leaves.

Conclusion: Act now, and prepare to adapt

AI is moving fast, and so are the threats that come with it. While we can't predict every tactic attackers will use, organizations can prepare by taking steps to strengthen their defenses. That starts with getting the basics right. Build a solid foundation of identity security that includes preemptive defence, smarter authentication, and layered protections.

As AI becomes more embedded in our systems, we need to treat it like any other identity that is governed, monitored, and secured.

The organizations that prepare early and adapt are able to stay ahead of the curve, and keep their systems secure.

About the Author: Stuart Sharp is VP of Product Strategy at One Identity for OneLogin solutions, working with our customer and product teams to help companies address today’s identity and security challenges. During a career spanning more than 25 years, Stuart has had a passion for driving technical innovation, with a particular focus on Data Security, Cloud Encryption and Access Management. Before joining OneLogin, Stuart worked for an Oxford University high-tech spin-off, as Global Product Manager for Database Security at Oracle and as VP of Solution Engineering for CASB provider CipherCloud. Stuart earned his BA at Harvard University and MPhil at Oxford University.