Visibility Is Now a Core Security Problem-Not a Nice-to-Have
Enterprise security teams cannot protect assets they cannot see. This principle has held for decades, yet most organizations still lack complete visibility into their device inventories, cloud instances, software, identities, and data flows. AI is about to make that visibility gap worse before it gets better.
The problem is not new. Asset management-cataloging and governing every device, identity, configuration, and data flow-has been chronically underfunded and under-executed across the industry. What is new is the speed at which AI tools are multiplying the assets that need to be tracked.
How AI Expands the Attack Surface Faster Than Security Can Keep Up
AI adoption is following the same pattern cloud adoption did. When cloud infrastructure arrived, the friction of provisioning compute dropped to nearly zero. Developers could spin up dozens of instances in minutes without security review. The resulting sprawl created an entire category of cleanup tools.
AI is different in three critical ways. First, procurement is distributed and often invisible. Employees buy AI-as-a-service tools on personal or corporate cards, connect them to internal data sources, and build workflows that touch sensitive systems-all without security review. This is already happening at scale.
Second, AI introduces non-human identities that most security programs have not formalized. AI agents, chatbots, API integrations, and agentic systems all require credentials and permissions. These identities are often created without the lifecycle governance applied to human accounts. They accumulate permissions over time and are rarely deprovisioned when projects end.
Third, AI systems consume and process data in ways that are difficult to trace. Training sets, inference pipelines, retrieval-augmented generation architectures, and model fine-tuning create new data flows that become invisible to governance frameworks if not tagged at creation.
Where AI Actually Helps with Asset Management
The opportunity to use AI as a solution exists, even if the marketing overstates it. Three credible use cases stand out.
Accessibility: Security tools have historically required significant technical expertise. Natural language interfaces let analysts query complex asset databases, write detection logic, and generate enrichment rules without coding. This compresses the time to productivity with new tools-critical when security skills shortages are measured in hundreds of thousands of unfilled positions globally.
Metadata enrichment at scale: Finding a new device on the network is easy. Associating that device with an owner, business unit, risk profile, regulatory scope, and configuration baseline automatically and in real-time is where most programs break down. Machine learning models trained on internal data can produce contextual enrichment at speeds manual processes cannot match.
Behavioral change detection: Traditional discovery tools excel at inventory but struggle with state changes over time. AI-based anomaly detection can identify when a device's operating system changes unexpectedly, when a service account accesses resources outside its normal pattern, or when a new integration endpoint appears without a corresponding change record.
Deployed Language Models Are Assets That Need Tracking
Enterprises are deploying chatbots, virtual assistants, and AI-driven workflows. Each represents an application layer that can be probed, manipulated, and exploited. Prompt injection and jailbreaking are documented techniques that allow adversaries to override a language model's intended behavior, potentially extracting sensitive data or bypassing access controls.
Every LLM-based application an organization deploys should be tracked as a security asset, assessed before deployment, and continuously tested afterward. Most organizations are not doing this. The most effective testing approaches involve using AI to test AI-deploying adversarial language models to probe production systems for exploitable behaviors.
What Security Leaders Need to Do Now
Asset management in the AI era requires an expanded definition of what counts as an asset. Any system, identity, integration, or data pipeline that carries security or compliance exposure needs to be in scope. That includes AI subscriptions, agentic workflows, fine-tuned model deployments, third-party AI vendors with access to internal data, and the non-human identities those systems require.
The technical foundation is the same foundation security programs have been building toward for years: continuous discovery, automated enrichment, behavioral baselining, and integration with risk registers. What changes is the velocity at which new assets appear and the regulatory stakes attached to getting visibility wrong.
Regulators, particularly the SEC and financial services bodies, are signaling that formal requirements for AI inventory and disclosure are likely in the near term. Organizations that treat AI adoption as a governance event from the start-rather than a cleanup problem later-will be better positioned.
Given how cloud adoption played out, most organizations will not move that quickly. But the tools and frameworks to do it right exist. The security professionals who understand them are worth finding.
Learn more about building security expertise for AI environments with AI for Cybersecurity Analysts, or explore AI for Management to understand governance and visibility from a leadership perspective.
Your membership also unlocks:
