Healthcare Orgs Lack Confidence in Ability to Defend Against an AI-incited Identity Breach
Healthcare organizations have embraced AI and are using AI agents to perform a range of functions, including handling IT support desk tickets, automating software workloads, authenticating data exchanges, and performing various security tasks. While there are clear benefits to be gained from using AI agents in healthcare, each new AI agent is a potential entry point for attackers, and a successful compromise could result in a devastating attack.
Each AI agent is given permissions to carry out its functions, and when AI agents are used to perform security functions, those permissions can be significant. Any attack that succeeds in compromising an AI agent will see the attacker gain those same permissions. For instance, an AI identity on a local machine may have access to the password manager, browser sessions, Secure Shell, and encryption keys. An AI agent could disclose admin credentials to an attacker, leading to a crippling attack with significant data theft.
To learn about AI deployments and integrations and how they are affecting identity security, the cybersecurity firm Semperis commissioned Censuswide to conduct a survey of 1,100 IT and IT security professionals across several industries, including healthcare. The survey confirmed that AI agents are being extensively deployed, which pose significant risks to identity infrastructure. Three-quarters of healthcare respondents believe that there will be AI-driven attacks on identity infrastructure, 69% believe that AI attackers will use identity systems to target their infrastructure, but only one-quarter of respondents think that they would be able to fully recover if an AI agent exposed administrative credentials.
On average, more than one-third of the healthcare workforce has at least one AI agent installed on a local machine that has permissions to access Secure Shell and encryption keys, and one in three healthcare respondents said they are using AI agents to handle security-related tasks, with 60% of respondents anticipating deploying AI agents for security tasks in the next 12 months.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Semperis, AI agents should be treated as non-human identities (NHIs) in the identity fabric; however, only 66% of respondents said AI identities were registered, authenticated, and authorized within the organization, and of those that do, almost half (48%) register, authenticate, and authorize them separately from human identities. While organizations may be applying security best practices such as the principle of least privilege for human identities, that is not always the case with AI identities, which are often overpermissioned.
“AI support agents are often overpermissioned in ways that may have unintended consequences — such as ‘helpfully’ reconfiguring security settings or granting access that can lock entire teams out of their identity systems or punch holes in corporate VPNs,” explained Semperis. As deployment of AI agents increases, so does the risk. Since AI agents often have the ability to do anything, it is vital to implement disciplined controls. While sufficient controls may not yet have been implemented, 90% of respondents said AI identity governance is a top security priority for the organization.
Semperis stresses that security controls need to be implemented to reduce risk, such as applying the principle of least privilege to AI identities, designating identity infrastructure, implementing backup and recovery controls, and segregating agent and human trust boundaries where appropriate. Organizations need to work on the assumption that AI identities will eventually be compromised, so they must therefore need to plan for that eventuality and ensure that they have the policies and procedures in place to allow them to rapidly respond and make a quick and full recovery.
“What’s striking isn’t just how quickly AI is being integrated into identity systems but how unprepared many organizations are to recover when things go wrong,” explained Grace Cassy, Partner, Ten Eleven Ventures. “Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability, and recovery readiness. It’s a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption?”
The Semperis State of Identity Security in the AI Era Report can be downloaded here.
