Australia AI identity governance lags as risks rise

Semperis has published research on how AI is affecting the security of identity systems in Australian organisations, finding that most respondents already use or plan to use AI agents for sensitive security tasks.

The survey covered 1,100 organisations globally across multiple industries and examined identity platforms including Active Directory, EntraID and Okta. In Australia, the results point to growing use of AI agents in core security processes before formal controls are fully in place.

It found that 95% of Australian organisations either already use or plan to use AI agents for tasks such as password resets and VPN access. Nearly a quarter, 24%, already use AI agents to handle security-related help desk tickets, while another 69% intend to do so within the next year.

At the same time, 80% of Australian organisations surveyed believe AI will increase attacks on identity infrastructure. Another 92% said AI is installed on at least some local machines with access to SSH and encryption keys.

The results also point to concerns about incident response. Only 21% of Australian respondents said they were very confident they could regain control if AI exposed admin credentials, compared with 32% globally, while 10% said they were not confident they could do so.

Governance gap

Australia trails global peers on governance of AI-related identities. Only 52% of Australian organisations said their AI identities are fully registered, authenticated and authorised in a formal system, compared with 65% globally.

Among organisations that track AI identities, 62% use the same system as for human identities. The remaining 38% authenticate and authorise AI identities through a separate system.

The issue centres on the rise of non-human identities created by software agents. As more organisations give those agents access to sensitive systems, identity infrastructure is becoming a bigger target for attackers and more complex to govern.

Alex Weinert, Chief Product Officer at Semperis, commented on the broader trend identified in the survey.

"The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs," Weinert said.

Gerry Sillars, Vice President of APJ at Semperis, said the Australian results stood out against the international sample.

"The data reveals that Australian organisations are lagging behind their international peers when it comes to governing AI-related identities. Locally, organisations are racing to introduce AI identities, despite lacking the visibility and controls needed to securely manage them at scale. Compared to their global counterparts, Australian organisations also express less confidence in their ability to regain control of their identity systems if AI were to expose their admin credentials. It is clear that AI is changing the identity threat landscape faster than Australian organisations can adapt," Sillars said.

Recovery concerns

The research also drew comment from external figures cited in the report. Grace Cassy, Partner at Ten Eleven Ventures, said the pace of adoption had outstripped operational readiness in many cases.

"What is striking about the Semperis AI Study is not just how quickly AI is being integrated into identity systems but how unprepared many organisations are to recover when things go wrong. Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability, and recovery readiness. It is a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption," Cassy said.

Chris Inglis, the first U.S. National Cyber Director and a strategic advisor to Semperis, focused on the difference between planning for cyber incidents and restoring identity systems after a breach.

"The pattern of global organisations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organisations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality," Inglis said.

Despite the gaps identified in the report, 79% of respondents said AI identity governance is a priority in the coming months. Measures under consideration include treating AI agents as non-human identities, applying least-privilege access rules, separating agent and human trust boundaries where needed, monitoring anomalous agent behaviour, and ensuring identity systems can be restored to a trusted state after a breach.

The Australian findings come as AI takes a more prominent role in organisational technology strategies, with identity management emerging as an area where deployment is moving quickly while control frameworks remain uneven.