Humans or AI? The real question is trust. Faced with autonomous agents, verifiable identities, total traceability and continuous monitoring are required to secure IT.
At first glance, the answer seems obvious: we trust humans. Because they are responsible, identifiable, capable of judgment. But as artificial intelligence becomes integrated into information systems, this certainty falters.
The real question is no longer choosing between humans and machines, but understanding under what conditions each can truly be trustworthy in a modern IT environment.
An illusion of control
For decades, business risk management has been structured around the human factor. Errors, misconfigurations or internal threats are known, documented, governed by proven security policies (IAM, audits, segmentation, etc.). But this model is based on a simple hypothesis: humans are at the center of the decision.
Today, this hypothesis no longer holds. AI systems no longer just assist. They take initiatives, trigger actions, interact with critical infrastructures often in real time, at a speed incompatible with traditional human supervision. However, we continue to apply trust logic designed for humans. This is where the disconnect lies.
The AI paradox: power without readability
AI is efficient, fast, capable of automating complex tasks on a large scale. But this power comes with a loss of readability. When a human makes a mistake, it is usually possible to identify the person who made it, understand the cause, and learn from it. With AI agents, these principles become uncertain.
Without a clear identity, it becomes difficult, sometimes impossible, to know who did what, why, and how to prevent it from happening again. Even today, many systems rely on shared or static identifiers, unable to precisely distinguish one agent from another. This ambiguity of identity creates a critical blind spot: actions are carried out, but responsibility remains unclear, control almost non-existent.
The numbers are revealing: only 28% of companies believe they can stop a malicious AI agent before it causes damage. Nearly half can only react once damage has been done, and nearly a quarter just detect without being able to really act. Automation is progressing. Governance is lagging behind structurally.
The key: view AI as an identity
Faced with this transformation, one thing is obvious: if AI acts, it must be treated as an identity in its own right. We can no longer consider it as a simple technical tool. Once a system is capable of initiating actions and accessing sensitive resources, it must be identified, authenticated and controlled like any actor in the information system. This involves unique and verifiable identities for each agent, dynamic identifiers with a limited lifespan, as well as full traceability of actions. This also requires continuously monitoring behaviors to detect abuse and abnormal behavior in real time. Finally, we must integrate a fundamental principle: an AI agent will end up, at a given moment, adopting inappropriate or unexpected behavior. The challenge is therefore to anticipate this risk and prepare for it by putting in place an effective intervention plan.
Rethink trust
Trust can no longer be implicit in an environment where AI systems are no longer simple tools but entities capable of acting, deciding and interacting autonomously. This change profoundly transforms the nature of risk: more diffuse, more rapid and sometimes invisible, it escapes traditional models of control, historically designed to regulate the human factor. In this context, a requirement arises: make each action traceable and each actor explicitly identified. Without traceability and clear attribution, there can be no accountability, no control, and therefore no real trust.
From then on, the question is no longer about choosing between humans and machines but lies in the ability to supervise these new forms of autonomy. The trust of tomorrow will be neither intuitive nor implicit: it will have to be structured, thought of like an architecture and will be based on a simple but demanding principle: each action must be attributable, each identity limited in its permissions, and each behavior monitored in real time. We no longer trust by default: we build it, we measure it and we constantly verify it.
It is at this price that AI can truly integrate into critical environments, not by imposing its presence, but by gradually gaining the trust of the companies that deploy it.
