AI-powered search tools promise something irresistible: type a question and instantly surface the most relevant information across your entire organization. It’s efficient, intuitive, and already reshaping how people work. But this ease of discovery also reveals a problem many companies didn’t realize they had. Their access models were never designed for this kind of frictionless visibility.
For decades, sensitive documents often stayed protected not because permissions were perfectly aligned, but because finding them required effort. Users needed the right filename, the right keywords, or the right folder path. If they didn’t know something existed, it was unlikely they would stumble across it.
AI eliminates that layer of obscurity. A vague request like “show me our biggest financial risks” can surface files scattered across SharePoint, cloud drives, on-prem servers, email archives, and SaaS tools—anything the user’s identity can technically access.
According to Mickey Bresman, CEO at Semperis, that distinction– “technically”–is where the trouble begins.
AI Doesn’t Create New Access—It Exposes Old Access You Forgot About
Most enterprises have years of identity debt built up across Active Directory, Entra ID, Okta, cloud applications, and legacy systems. Groups were reused for convenience. Temporary permissions outlived the projects they were created for. Migrations layered new complexities on top of old ones.
AI search doesn’t respect the old hierarchies that once kept these misconfigurations out of view. It simply looks at what a user or service account can access, directly or indirectly, and incorporates it into answers.
During a recent TechSpective Podcast episode, Bresman described the moment this reality hits: “One customer told me, ‘I didn’t even know that we have those files—and I for sure should not have access to those files.’ AI just bubbled it all up.”
This is the core tension organizations are now confronting. AI expands discoverability. Identity systems are still operating off 20 years of accumulated clutter.
Context Becomes a Security Risk
Bresman described a classic scenario:
A sensitive file buried several folders deep inherits some permissions from an older group structure. A user can’t browse into the parent folder, so they’ve never seen the file and never would.
With AI, discovery no longer depends on browsing. You don’t need a path. You don’t need the file name. You only need the context behind your question.
That shift erases the accidental protection many companies relied on without realizing it.
Attackers benefit even more. A compromised account no longer requires manual reconnaissance. A single prompt can surface everything the identity can touch, along with summaries that make lateral movement easier.
Identity Is Now the Discovery Layer
If AI can reach into every system tied to a user’s identity, then identity becomes the new discovery plane. The critical questions are no longer just who can open a sensitive file, but also who can assign themselves access with a few clicks.
In many environments, the second group is far larger—and harder to track—than the first.
One solution is better hygiene. Start by removing groups that do not have a clear function or owner.
Of course, it’s possible the group has some obscure but crucial function the IT team is not aware of. On the podcast, Bresman explained the challenge with a dose of humor but also truth: “People see the issue but are afraid to touch it. I jokingly call it the ‘screaming test’—you remove the group and wait to see who screams.”
Without guardrails or rollback options, security teams hesitate to clean up permissions. That hesitation becomes a liability when AI tools start pulling from every entitlement in the system.
AI Ready Data Needs AI Ready Security
Moving forward, organizations have to rethink identity and data governance as a unified function. That means:
Mapping what’s truly sensitive
Understanding every path—direct and indirect—that leads to it
Reducing excessive access safely
Monitoring for drift, unexpected changes, and nested group explosions
Treating identity as the central enforcement point for AI-era access
AI is accelerating productivity, no question. But it’s also accelerating the visibility of every misaligned permission, every forgotten group, and every historical access decision made in the name of convenience.
Companies that address their identity debt now can adopt AI with confidence. Those that don’t may find their most sensitive data appearing in AI-generated summaries long before anyone realizes what went wrong.
- The OT Security Problem Nobody Wants to Own - June 3, 2026
- Coupa Is Betting Agentic AI Can Run Enterprise Procurement on Autopilot - May 14, 2026
- N-able’s SOC Data Shows Half of Attacks Never Touch the Endpoint - May 14, 2026
