New research from Semperis shows that healthcare organizations are confidently adopting AI, but widening the identity security gap in the process. The company used Censuswide to survey 1,100 IT and security professionals across industries to find out how they use AI and how AI integration is impacting identity security.
In healthcare, 75% of respondents said they expect AI-powered attacks on identity infrastructure. However, only 27% said they were confident they could fully recover if an AI agent compromised administrator credentials.
The difference between these two realities suggests that while healthcare organizations are aware of the risks to their identity infrastructure posed by AI, they are not yet prepared to address the impact. Healthcare was not an outlier in this study. Leaders in sectors such as banking, education, government, IT, and telecommunications reported similar disconnects.
Each AI agent your organization uses has its own non-human identity. NHI is rapidly increasing as organizations implement tools to run software workloads, authenticate data exchanges, and complete other behind-the-scenes tasks.
“Each new agent, service principal, and low-code ‘helper’ represents a new potential entry point into the identity system,” the report notes.
“AI support agents are often given excessive privileges in ways that can have unintended consequences, such as granting them access that can “beneficially” reconfigure security settings, lock entire teams out of identity systems, or even blow holes in a company’s VPN.”
These identities may have access to password managers, browser sessions, and other sensitive data, giving attackers who compromise these identities free access to sensitive information.
Still, organizations are hiring AI agents to handle security tasks. Approximately 29% of healthcare respondents said they use AI agents to process security-related help desk tickets, and 60% said they plan to deploy agents for this use case within the next year.
Healthcare respondents also said that, on average, one-third of their employees have AI installed on their local machines and have access to secure shells and encryption keys.
Approximately 66% of healthcare respondents said that AI ID is registered, authenticated, and authorized within their organization. Nearly half said their organizations register, authenticate, and authorize AI identities separately from human identities.
Healthcare respondents expressed low confidence in their ability to fully regain control of their identity infrastructure if AI agents exposed administrator credentials to attackers, even as they continue to employ such tools. With this in mind, AI identity governance has emerged as a top priority for 90% of healthcare organizations.
As AI identities continue to proliferate, organizations must contend with the risks they pose. Best practices include enforcing least-privilege access for agents, separating trust boundaries between agents and humans, and designing identity infrastructure, backup and recovery, and governance controls with the assumption that these agents will eventually be compromised, the report suggests.
Jill Hughes has been covering health tech news since 2021. Her areas of coverage include cybersecurity, HIPAA compliance, interoperability, AI, and EHR.
