Federal Cyber Leaders Grapple With Growing Nonhuman Identity Risks

Transportation Department Enterprise Security Architect Austin Clark warned Friday that the rapid adoption of artificial intelligence across government is creating an explosion of non-human identities — including AI agents, service accounts and API keys — that could become a major cybersecurity vulnerability if agencies fail to maintain visibility and control.

“Everybody in an organization is leveraging AI,” Clark said during GovCIO Media & Research’s Federal Tech Leaders Summit in Washington, D.C. “That’s the attack surface that’s exploding exponentially across everyone’s space.”

Clark said the growing number of machine identities is reshaping how agencies think about cybersecurity, expanding attack surfaces beyond traditional user accounts and creating new opportunities for adversaries to move through networks using exposed credentials and secrets.

“When we talk about identity lifecycle management, normally when we’re talking about human identities, we talk about joiner-move-leaver [cycle],” Clark said. “With non-human identities, it’s more of register-renew-revoke and you have to be able to automate all three of those phases … because the adversary is going to get access.”

AI Changes the Threat Environment

Chris Wallace, chief of cybersecurity for PEO DHMS, said the speed and scale of AI-enabled threats are forcing agencies to rethink traditional security models.

“Adversaries aren’t taking months to probe and look and try to utilize an attack vector, they’re doing it in minutes,” Wallace said on the same panel. “It’s absolutely paramount for us to be able to have that observability to dive deeper than we ever have before and look at those vulnerabilities, find the anomalies faster.”

Wallace added that organizations can no longer rely on traditional security timelines because adversaries are increasingly operating at machine speed.

“The slice and time doesn’t work anymore. By the time that we evaluate, assess and then go to authorization, we’ve got new vulnerabilities, we’ve got other impacts from adversaries that we have to keep pace with,” Wallace said.

The rise of AI is also changing long-held assumptions about insider threats and network trust, Wallace added.

“Insider threat was always the human. Well, it’s not that way anymore,” Wallace said. “Everything inside your boundary is now a threat. You have to look at everything and be able to protect against that.”

Architecting New Defense Structures

HP Federal CTO Tommy Gardner said agencies must rethink their architectures to defend against AI-enabled threats and adversarial AI techniques. Rather than exploiting traditional software vulnerabilities, adversaries can manipulate training data or influence model behavior to generate flawed outcomes, he said.

“What [a cyber adversary] wants is certain decisions to be bad, and so it’s manipulation of part of your training data and part of your algorithm,” he said. “If you don’t have the right architecture, you’re doomed before you get started.”

The Marine Corps is implementing that approach through cloud-native architectures and DevSecOps pipelines designed to limit lateral movement and accelerate secure software delivery, according to David Raley, chief digital business officer for the Marines’ Operation StormBreaker.

Speed is increasingly becoming a security advantage, Raley said. The program’s DevSecOps pipelines and zero trust inheritance model allow mission owners to deploy code at unprecedented speed while maintaining security controls.

“We’re talking about getting an authorization within 15 minutes for code on a given day,” Raley said.

Raley added that speed and security work in concert to counter machine-speed and non-human threats, dispelling the myth that organizations must trade security for velocity.

“It is provably far more secure … literally, you can see thousands of additional vulnerabilities in the process we’re talking about,” he said. ”[Development is] incredibly more secure when you have the right process in place.”

Raley said the Marine Corps designed its cloud-native architecture to further reduce risk by limiting lateral movement. Mission systems are isolated through a hub-and-spoke model that allows defenders to immediately quarantine workloads when anomalies appear.

“When we’ve done the testing and the assessments of those [systems], that almost eliminates the lateral movement capability,” Raley said. He added that the structure allows administrators to identify threats and “sever the connection extremely easily” to protect the rest of the network.

Maintaining visibility into that growing population of non-human identities is becoming increasingly critical, Clark said.

“If you don’t know your entire attack surface of these non-human identities, you’re going to fail very fast,” he said.