AI is Already Stress-Testing IAM

Traditional IAM was built around static roles and predictable traffic. Generative AI and agentic automations change the shape and volume of identity activity:

1. Automation-as-a-user: Non-human identities balloon and are harder to govern.
2. Prompt-sourced attacks: Social engineering and phishing get sharper and faster.
3. Policy drift: ML-driven apps change behavior after go-live, challenging SoD and approvals.

What to do next: instrument identity flows, reduce standing privilege, and add review velocity—shorter, more targeted recertifications instead of large quarterly waves.