Non-human identities are creating a governance debt for healthcare cybersecurity

AI agents are becoming a force to be reckoned with in healthcare, especially as cybersecurity sentinels in a new ecosystem of non-human attackers and defenders. Non-human entities, including agents, service accounts, and APIs, outnumber human identities by 45 to 1, by some estimates, and that number is expected to climb exponentially. 

But with each new non-human member of the enterprise team comes a digital identity that needs to be appropriately secured. And healthcare organizations are already falling short of their ability to manage this hidden threat to their infrastructure.  

For example, a new survey from cybersecurity company Semperis shows that 93% of global businesses already use (or plan to use) AI agents for “sensitive security tasks,” such as password resets and VPN access. Yet only 65% fully register, authenticate, and authorize AI identities. 

The majority (67%) don’t authenticate AI identities separately from human ones, and just 10% said that AI identity governance is a recognized priority over the next 12 months. 

Separate data from IBM supports the misalignment between adoption and readiness, with just 11% of tech leaders saying they feel fully prepared for the scale of AI deployment that’s rushing toward them.  

With hundreds or thousands new AI agents entering the ecosystem on a regular basis, the amount of governance needed to appropriately secure each entity is far exceeding the capacity of human experts to implement it.  

In the IBM survey, a strong majority of organizations (77%) report AI adoption is outpacing current governance capabilities, while 70% say they’re actually deploying technology faster than IT can track. 

This accumulating “governance debt” runs the risk of broadening the attack surface of the healthcare enterprise and leaving organizations vulnerable to intrusion. 

“For years, control in enterprise technology was exercised through policy, approvals, committees, and review cycles,” says the IBM survey report. “That approach worked when systems moved at human pace. At machine speed, it no longer holds.”  

“As AI agents move from pilots to production, they make decisions continuously and at volumes no escalation path can realistically govern. In that environment, control stops being a permission problem. It becomes a design problem.” 

The solution is getting proactive about building governance into systems before they go live, the company recommends – and doing it on an enterprise-wide basis that doesn’t permit individual teams to circumvent IT when they want to move fast to adopt their own AI tools. 

“Organizations that engineer control into their AI systems deploy 16x more agents than those relying on manual governance, while spending 4x less of their AI budget and delivering 18% higher operating margins,” IBM says. 

These controls should include basic identity hygiene strategies such as least-privilege access by default, continuous logging and audi trails, and clear ownership of unique identities for each agent. 

 Without these fundamental governance principles firmly in place before the pace of non-human identity adoption gets truly out of control, organizations are creating risks that they won’t be able to manage. Addressing the governance debt now will be essential for succeeding in an ecosystem where AI agents are already becoming core members of the team. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].