At EIC We Debated AI Agent Governance. Then, Exchange Got a Zero-Day 🤦🏿‍♂️

A rare Saturday Edition ( while I’m stuck in Berlin….Thanks Ian and Dean!!)

EIC just wrapped. Three days with the people who actually run identity programs, practitioners, architects, and the vendors, trying to keep up with them. The conversation everyone kept circling back to: AI agents. Where do they fit in your governance model? How do you scope permissions for something without a job title?

Then Microsoft disclosed a zero-day that gives attackers administrative access to on-premises Exchange servers. No AI involved. Just an ungoverned service account and infrastructure nobody has audited in four years.

Identity security HAS to mean all identities. Right now, for most programs, it doesn't.

Don’t forget to check out the Identity Jedi Store. Digital product

Part A

Three signals this week that prove the identity governance gap is getting wider, not closing. We are actively debating how to govern AI agents while leaving on-premises Exchange servers running with default credentials and no lifecycle management. A $205M acquisition tells you exactly how unprepared traditional security vendors are for the identity problems AI is creating. And OpenAI's breach should put a hard stop on every conversation about trusting AI systems with privileged access until those systems can secure their own infrastructure.

The shared pattern is the same one I keep seeing in every engagement: we apply identity governance to the things we understand and route everything else to a different team. Exchange is infrastructure, so it becomes the network team's problem. Browser sessions are endpoints, so they go to the endpoint team. AI integrations are applications, so they go through application governance. None of those classifications are wrong. All of them let the identity problem walk out the door.

Part B

Microsoft's Exchange Zero-Day Is a Service Account Story. We're talking about patches!?

Nope, not patches ( or practice), this is a governance story about privileged infrastructure identities that most IAM programs have never inventoried. Read this if your identity governance stops at the edge of your IGA dashboard and calls everything else someone else's responsibility.

Akamai's $205M LayerX Acquisition Reveals the Identity Capability Gap When a $16B security company has to spend $205M to buy browser identity protection, it tells you two things: they couldn't build it themselves, and the market for governing what browser sessions can access is real. Read this before you accept any vendor's claim that they have a complete identity story.

OpenAI's Breach Ends the Assumed Trust Argument for AI Integrations. Before you grant your next AI system privileged access to your identity store, read what happened to OpenAI's own code repositories. Zero-trust verification for AI integrations is no longer a future-state consideration.

The term "AI Security" is doing a lot of work right now. Vendors are using it to sell everything from model alignment tools to browser isolation products. Analysts are publishing frameworks that treat it as an entirely new discipline requiring new infrastructure, new tooling, and new budgets.

Here's the framing I'd push back on: AI security is not a new category. It is identity governance applied to a class of identities we don't yet have good language for.

Every AI system in your environment is an identity. Most of them are ungoverned.

When an AI agent authenticates to your data lake, it is using a service account or an API key. That credential has permissions. Those permissions were scoped at deployment and almost certainly have not been reviewed since. There is no joiner-mover-leaver process for AI agents because they do not have job titles, and nobody mapped them to a governance workflow when they were provisioned.

This is the classification mistake I keep seeing in organizations deploying AI: they route AI systems through application governance rather than identity governance. Application governance asks whether the software is approved, patched, and licensed. Identity governance asks who this is, what they should be able to access, and whether that access is still appropriate.

Those are different questions. The second set is the one that matters.

The OpenAI breach makes this concrete. Attackers accessed OpenAI's code repositories. The entry point was a code security issue. But the reason it should matter to every identity practitioner is not the vulnerability itself — it is the underlying access model. If OpenAI's own engineers cannot prevent unauthorized access to their own systems, what does that tell you about the identity controls on the AI integrations you have already deployed from their platform?

You are granting privileged access to systems built by organizations that cannot secure their own infrastructure. That is not a reason to halt AI deployment. It is a reason to apply zero-trust verification to every AI system identity before granting it access to anything sensitive, the same standard you would apply to a contractor getting privileged access to production.

In practice, that means treating AI agent credentials like privileged human credentials. Scope them to the minimum required access. Set expiration. Audit the access logs. If your PAM platform does not cover AI agent service accounts by name, that is a gap in your governance model, not a deliberate configuration choice.

The Akamai acquisition tells a related story from the vendor side. LayerX governs what a browser session can access — it is an identity control for browser contexts. Akamai needed to acquire it because traditional network and endpoint security has no answer to the question: should this browser session be allowed to access this data, given what we know about who is using it and the context? That is an identity question. A $16B security company did not have the answer. They spent $205M to buy it.

The Exchange zero-day ties this together in a way the industry keeps refusing to acknowledge. Exchange servers authenticate users, route communications, store sensitive data, and run service accounts with elevated access across your environment. They are identities. They have never been governed as identities. The zero-day is exploitable in part because the underlying infrastructure — service accounts, default credentials, ungoverned privileged access — has been treated as someone else's problem for years.

I sat in sessions at EIC where practitioners were deep in the governance architecture for AI agents — scoped permissions, context-aware authorization, ephemeral credentials. Genuinely good work. And I kept thinking about Exchange. We cannot govern the identities we are deploying in 2026 if we have not governed the ones we deployed in 2010.

AI security starts with identity governance. Identity governance starts with every identity in your environment: human, machine, AI system, and infrastructure. Until that inventory exists and that governance is applied consistently, every AI security framework is a layer on an unbuilt foundation.

The program work is not technically complicated. It is organizationally uncomfortable. It requires admitting that your identity governance has edges, places where identities live that your program does not cover. Exchange servers. AI agents. Browser sessions. Third-party integrations. Supply chain dependencies.

All identities. Or none of it works.

NEW POD DROPS TUESDAY!!

EIC reminded me why I chose identity as my professional home. A room full of people who genuinely care about getting this right, arguing about the future of governance in a world that moves faster than any framework can keep up with.

Then I land, open my feeds, and Exchange has a zero-day.

All identities. Or none at all.