AI search tools are reshaping enterprise workflows. A single natural-language prompt can pull insights from years of documents, emails, and cloud repositories. That’s great for productivity. It’s far more complicated for security teams who are discovering that AI is exposing access pathways they didn’t know existed.
Semperis has been studying this shift closely, and their conclusion is straightforward: AI isn’t necessarily creating risk—it’s revealing it.
Enterprise identity environments today aren’t clean or simple. They span Active Directory, Entra ID, Okta, SaaS permissions, and cloud entitlements. They contain nested groups built on top of nested groups. They carry years of outdated access tied to projects no one remembers.
In the past, these messy structures stayed mostly invisible. Users had to know a file existed to find it.
AI wipes that barrier away.
During a recent episode of the TechSpective Podcast, Semperis CEO Mickey Bresman explained the change bluntly: “AI changes everything because I don’t need to know the name of the file or its location anymore. I just provide context, and AI will show me results—even sensitive files I was never supposed to find.”
This is exactly what Semperis is seeing across customer environments where AI search capabilities are being deployed. Sensitive files become discoverable the moment an identity—no matter how indirectly—has access to them.
Where the Real Risk Comes From
Bresman explained that a document’s direct permissions tell only a fraction of the story. The more dangerous question is: who can grant themselves access?
A group that owns a parent folder can modify child permissions. A nested group buried three layers down can suddenly inherit access. An on-prem AD group synced years ago into Entra ID can unintentionally give a cloud user visibility into a sensitive document.
Semperis’ attack-path-centric approach is designed for this exact complexity. Tools like Forest Druid map not just who has access, but how quickly someone could obtain it through privilege escalation or group modification.
In Semperis’ view, AI accelerates the urgency of this work. If AI expands what users can discover, security teams must shrink what users can reach.
The Hardest Part for Companies Is Taking Action
Even when organizations finally see the scope of excessive permissions, many hesitate to remove them. Groups get reused for years. No one remembers what depends on them. And there’s always a fear of breaking something crucial.
Bresman described the reality with a line most IT admins can relate to: “At some point, you have to remove the group and wait to see who screams. But you need a safety net to put it all back if something breaks.”
Semperis builds that safety net directly into its Directory Services Protector DSP platform: safe permission reduction, real-time monitoring, drift detection, and instant rollback. The goal is not only to clean up identity debt but to do so without bringing operations to a halt.
Preparing for the Next Identity Challenge: Agentic AI
Semperis is also looking ahead to another complication: AI agents acting autonomously within enterprise environments. These aren’t human identities or traditional machine accounts. They’re something new.
As Bresman put it, “We used to say human identities and machine identities. Now we’re going to have a third pillar—agentic identities.”
These agents can take actions at machine speed, make decisions independently, and perform tasks at a scale no human could. A simple misconfiguration or flawed instruction could result in thousands of unintended changes before anyone notices.
Semperis believes organizations need to prepare now—defining how these identities are authenticated, monitored, and constrained before they become another source of exposure.
Semperis’ Message: Adopt AI, But Don’t Ignore Identity
Semperis isn’t skeptical about AI. They use it, embrace it, and see its potential. Their guidance is not to slow down AI adoption, but to clean up identity systems so AI doesn’t unintentionally expose everything that was once hidden by obscurity.
AI is here. Its benefits are real. But it also shines a bright light into every corner of an organization’s identity structure. Semperis wants companies to be ready for what that light reveals—and to close the gaps long before an attacker asks the same AI a very different kind of question.
- Semperis Confronts the Identity Chaos Exposed by AI Search - December 11, 2025
- The Identity Problem No One Saw Coming—Until AI Exposed It - December 11, 2025
- Cyware’s AI Fabric Pushes Agentic Automation From Concept to Practical Reality - December 8, 2025
