The importance and evolution of privileged access management in the era of artificial intelligence
Insights from 10 cybersecurity leaders
The digital identity has always been the anchor of security. Knowing who has access to what makes it possible to set rules, watch activity, and act when things go wrong. But in the age of AI, the identity stretches further. The identity has expanded to include not only employees and contractors, but also algorithms, APIs, and AI agents making decisions at inhuman speed. CISOs and cybersecurity leaders are grappling with managing this shift while maintaining governance, culture, and resilience.
We turned to a group of leaders who endure these daily pressures. Some share similar titles, but all are cyber risk owners accountable for securing their organizations and advising their boards. Their diversity in job titles mirrors the business landscape itself: cybersecurity responsibility now sits across CTOs, CISOs, heads of security, and IT managers.
What follows is a series of perspectives on how privileged access management (PAM) practices must evolve in the AI era: how threats are changing, how controls adapt, and how organizations can position themselves for resilience. We offer practical insights from the front lines and offer industry-specific recommendations wherever relevant.
A report by Jane Frankland MBE
The panel of experts
We chose a diverse panel of experts from five different industries and regions. They offer their perspectives on some of the key challenges that cybersecurity decision makers face today.
Sandy Dunn, CISO at SPLX.AI
Machine and AI agent identities now outnumber people in most organizations by more than 80 to one. The key is to treat these agents like privileged, drunk interns—give each its own identity, keep credentials short-lived, and tie everything back to a human for accountability. Limit privileges to what’s necessary, keep boundaries clear, and monitor in real time so if they drift outside their lane, you catch it fast.
George Papakyriakopoulos, CISO at Skroutz S.A.
The primary challenge isn’t just fending off AI-powered attacks, but securing the agents themselves, which are effectively the new super-admins and assume many critical identities. The very definition of a privileged identity will be permanently expanded to include agents that wield consolidated access far greater than any human.
Simon Legg, CISO at Hastings Direct
The important thing to recognize is that controls designed to support human beings are not necessarily the same as those needed to support systems. Systems can cope with more control burden than humans.
Stu Hirst, CISO at Trustpilot
AI agents are very likely to become mainstream across organizations, so identity management must evolve to become entity centric. AI agents will need onboarding, life cycle management, attestation, and offboarding just like human employees, but at machine speed.
Ejona Preci, group CISO at LINDAL Group
Every AI agent must have a unique, traceable identity, governed by granular policy controls and backed by real-time monitoring with anomaly detection. When an agent’s behavior or risk score crosses thresholds, its privileges must be terminated immediately. Anything less is an open invitation to chaos.
Erhan Temurkan, director of information security at a financial services firm
In time, PAM, IAM, and AI governance will merge into a unified discipline centered on the question of who—or what—has access, when, and why.
Yasin Carkci, CTO at Tams Finans
Within five years, PAM will evolve from a static access controller into a real-time risk orchestrator. As machine-to-machine interactions dominate, identity lifespans will shrink to minutes. PAM will need to validate model versions, enforce dynamic policies, and revoke privileges on the fly.
Goher Mohammad, head of information security for L&Q
Even if we as an organization said we would not use AI, adoption would still occur in different ways. Everyone is AI-curious, whether or not they know how to use a computer.
Panagiotis Soulos, information security GRC senior manager and deputy CISO at STEELME
When implementing PAM for AI agents, CISOs must prioritize life cycle governance, least privilege enforcement, and real-time monitoring of non-human identities. Defining ownership, ensuring traceability, and applying just-in-time access controls are critical. Educating employees on responsible AI usage and prompt (cyber) hygiene is equally critical.
River Nygryn, COO at Bullion FX
The tool should enhance, not replace, your governance and operational discipline.
