Trust at Speed: Identity-First Generative AI in Government

No trust, no problem? Why identity security is central to generative AI in government

Generative AI promises faster services and better decisions. The challenge for government is simple: move fast without losing security or public confidence.

At the Think Digital Identity and Cybersecurity for Government event, Stephen Mowll, area VP for solutions engineering, EMEA at SailPoint, put it plainly: "Everyone's talking about it… But a lot of people are still struggling." The rush to pilot tools has outpaced the groundwork needed to use them safely and usefully.

The trust gap starts with identity

Trust breaks when access is unclear. "We're giving people access to our data without necessarily truly understanding their business context," said Mowll. The same is true for machine identities-service accounts, agents, and automations that now touch sensitive systems and datasets.

Key questions still go unanswered: What should each identity access? When should access be removed? Who approves changes? "Every couple of weeks," Mowll noted, "you'll read about someone gaining access to information they shouldn't via an AI agent." That's an identity problem, not a headline about AI gone wrong.

Legacy systems, new pressure

Siloed estates make this harder. Agencies upgrade apps or deploy AI features, then bolt on security later. That invites drift and blind spots. The fix: treat identity and access management (IAM) as part of modernisation, not an afterthought.

Mowll pointed to organisations that "score-carded all their applications"-not just by technical modernity, but by service value and the identities tied to them. That helps decide what to modernise first and why.

• Score-card inputs: service criticality, data sensitivity, identity types (human and machine), access patterns, audit gaps, deprovisioning speed.
• Score-card outputs: modernisation priority, IAM work required, expected value to the department and citizen.

Make security part of daily work

Policy on a page isn't enough. "We put a policy in place and expect people to just know it's there. That's not the case," said Mowll. The departments that improve fastest run ongoing campaigns-posters, prompts, inbox nudges, short videos-so secure behaviour becomes routine.

• Short, repeated messages: what's allowed in AI prompts, what isn't, and where to ask.
• Contextual tips inside tools: approval reminders, least-privilege defaults, time-bound access.
• Leaders model the standard: brief stand-ups, visible decisions, quick escalations.
• Measure it: access reviews completed, deprovisioning time, AI data incidents, audit findings closed.

A practical starting plan for AI + IAM

• Inventory identities: people, service accounts, API keys, agents. Tie each to an owner and purpose.
• Define access by business context: role, department, clearance, data classification, use case.
• Gate AI features by risk: sensitive data requires stronger approvals and logging; public data can be more open.
• Adopt least privilege and just-in-time access for both humans and machine identities.
• Automate joiners-movers-leavers and rotate credentials for machine accounts on a schedule.
• Log everything that touches sensitive data; review high-risk events weekly.
• Run red-team tests against AI agents and integrations before scaling.

Work with industry, keep control

Progress accelerates when public and private teams build together. Many firms have already embedded AI safely into products. Government can learn from those patterns and adapt them to public service needs without starting from scratch.

If you need a reference point, see the Guidelines for secure AI system development from the NCSC and partners, and the NIST AI Risk Management Framework. They map well to identity-first controls and risk-based deployment.

Bottom line

AI can modernise services and improve outcomes, but only if identity sits at the centre. Build access on business context, treat machine identities like first-class citizens, and make security habits visible every day. Do that, and the pace of change can increase-without losing trust.

If your team is building skills in AI governance, safe prompting, and oversight, see curated AI courses by job.