Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Mar 26 2026
Security

Identity Security Is Critical to AI Adoption in Government

As federal agencies adopt artificial intelligence agents, identity security, access governance and continuous monitoring become essential to protect data.
Paul Petroski
by

Paul Petroski is the Federal CTO for Focal Point, a CDW company, and provides complex, enterprise-class solutions to public and private sector clients. His current responsibilities include project and program management, solution development and innovation, team management and development, business development and project delivery for federal government customers. He has substantial experience that spans verticals and solution offerings in the IT middleware space, with a focus on identity and access management and data security.

Federal agencies are exploring how artificial intelligence can improve mission outcomes, streamline operations and help employees work more efficiently. But before agencies deploy advanced AI capabilities — especially autonomous AI agents — they need to solve a foundational challenge: identity and access management.

In many ways, identity security becomes even more important in an AI-driven environment than it is for traditional applications. AI systems interact with large amounts of data, connect to multiple systems and often operate independently. Without strong identity governance and monitoring, that access can quickly become difficult to control.

From my perspective working with federal agencies, implementing AI responsibly starts with building a strong identity security framework.

Click the banner below to consider how managed services can optimize security.

x_security_q325_animated_click_desktop_01 x_security_q325_animated_click_mobile_01

 

Treating AI Agents as Identities

One of the first things agencies need to understand is that AI agents must be treated like identities in the environment. They are not human users, but they still require credentials and permissions to interact with systems and data.

In many ways, they resemble service accounts — machine identities that use credentials to authenticate into applications, databases or application programming interfaces. The difference is that AI agents may operate with far greater autonomy and may need access to a broader range of systems than a typical human user.

That means agencies must carefully define what systems an AI agent should access and what data it should be able to retrieve. As organizations introduce new systems or new data sets, identity policies may need to be updated to ensure the AI agent has appropriate access.

With human users, permissions often remain relatively static. An employee may need access to a handful of applications, and those rights change only occasionally. AI agents are different. Their scope can expand as new data sources come online, and agencies must ensure access is managed continuously rather than treated as a one-time configuration.

Balancing Access and Security

Another major challenge is balancing security with functionality.

AI agents are designed to analyze data, generate insights and automate tasks. If they cannot access the data they need, their value is limited. But granting overly broad access introduces risk — especially when sensitive or classified information is involved.

Agencies must determine several key factors before granting access:

  • What data sources the AI agent requires
  • The sensitivity level of those data sets
  • Whether every AI agent in the environment should have access
  • How the system will track and manage those permissions over time

Identity governance tools help agencies manage this complexity by tracking access requests, approving permissions, enforcing least privilege and ensuring the right controls are in place. But the real work happens during planning and architecture.

Implementing identity security for AI is not simply a configuration exercise. It requires agencies to think through how AI will operate across their entire ecosystem of applications and data.

Monitoring AI Behavior

Even with carefully defined permissions, agencies must assume that monitoring will be critical.

AI systems generate enormous volumes of activity. Every authentication attempt, database query or API call may generate an audit log. Those logs provide the visibility needed to understand how AI agents are interacting with systems and whether they are behaving as expected.

Many agencies centralize those logs into a repository or analytics platform, where security teams can analyze activity patterns and identify anomalies.

Click the banner below for the latest federal IT and cybersecurity insights.

ft_newsletter_animated_q125_signup_desktop ft_newsletter_animated_q125_signup_mobile

 

Because the scale of this data is so large, monitoring AI activity often requires additional automation — and in some cases, AI itself. Intelligent analytics can help security teams detect when an agent is operating outside its intended guardrails, such as accessing unexpected data sets or executing unusual queries.

This kind of visibility is essential for maintaining trust in AI systems.

Responding to Suspicious Activity

No security program is complete without a remediation plan.

Agencies need documented procedures that define how to respond if an AI agent behaves unexpectedly. Not every issue carries the same risk. Some incidents may involve access to relatively low-sensitivity data, while others could involve personally identifiable information or national security data.

Security teams must categorize incidents by severity and determine how quickly they need to respond.

A strong identity program makes such speedy response possible. If an anomaly is detected, identity management tools can automatically suspend or revoke the credentials associated with the AI agent. In effect, the system can quarantine the agent until the issue is investigated and resolved.

This automated response capability is critical because AI systems can operate at machine speed. Human intervention alone may not be fast enough to contain potential risks.

Building an Iterative Program

Finally, agencies should recognize that identity security for AI is not a one-time deployment.

Implementing these capabilities is best handled using a program-based approach that evolves as organizations introduce new tools, data sets and use cases. Successful programs begin with careful scoping and planning, followed by incremental improvements over time.

That iterative approach allows agencies to build a secure foundation for AI adoption while continuing to expand capabilities as technology and mission needs evolve.

Artificial intelligence has tremendous potential for the federal government. But the agencies that succeed will be those that treat identity security not as an afterthought, but as the foundation of their AI strategy.

This article is part of FedTech’s CapITal blog series.

CapITal blog logo

SeventyFour/Getty Images

More On

Related Articles