It has been just over a year since the UK government unveiled its AI Opportunities Action Plan. It was a bold statement of intent – a roadmap to transform the UK into an “AI powerhouse” by focusing on sovereign compute, public sector data access and a pro-innovation regulatory environment.
Today, we can see the skyline of that ambition starting to take shape. The expansion of the Sovereign AI Research Resource has given UK startups the “engine room” they need and the National Data Library has begun to unlock the silos of the public sector. These efforts were further bolstered by the recent appointment of Kalbir Sohi as the UK’s first Chief AI Officer.
However, as we reflect on the rapid progress made in 2025, a critical truth has emerged. While infrastructure is no longer the bottleneck, infrastructure without identity is an open door. As the government has spent the last year building the foundations of the AI economy, threat actors have spent that same year perfecting the tools to exploit them.
Organisations are no longer asking “How do we use AI?” but rather “How do we secure the trust required to scale it?” As the national plan progresses, it has become clear that the “Identity Gap” is widening. Without a robust identity framework, AI adoption creates a toxic accumulation of unmanaged risks that can bankrupt digital trust in an instant.
From login to continuous assurance
Last year, many enterprises treated AI as a productivity tool. This year, it will be a persistent presence. Traditional perimeter security is officially obsolete; AI-driven deepfakes and automated social engineering have effectively ended the age of visual trust. When a video call can be perfectly spoofed and a voice cloned in seconds, the traditional methods we used to verify a person – including an employee – have become useless.
Businesses must move from point-in-time authentication to continuous identity assurance. By utilising AI-driven behavioral signals – analysing patterns like device telemetry, interaction velocity, and navigation habits – organisations can verify identity during the session.
This reduces friction for legitimate users (improving user experience) while providing real-time detection of account takeovers traditional multi-factor authentication (MFA) would miss.
Managing the agentic workforce
But the challenge isn’t just about verifying humans. The most significant development since the Action Plan’s launch is the rise of Autonomous AI Agents. The identity surface area is exploding because we are no longer just managing people – we are managing their digital proxies. These agents act as a “synthetic workforce,” querying databases and executing transactions with the same privileges as human employees.
Currently, most UK businesses have a machine identity blind spot. If an agent is over-privileged, it can exfiltrate data at machine speed – far faster than a human security operations center (SOC) can respond.
Every AI agent must be treated as a managed identity. This requires “Know Your Agent” (KYA) protocols: verifiable cryptographic identities, strictly enforced least-privilege access, and – critically – a centralised “Identity Kill-Switch” to revoke access the moment an agent’s behaviour anomalies are detected.
Identity priorities for 2026
If the “Identity Kill-Switch” is the immediate tactical requirement for an agentic workforce, then our national strategy for the next 12 months must be the blueprint that makes it possible. To move from reactive defense to proactive governance, the UK must commit to three fundamental shifts.
Firstly, we must move away from static, one-time logins. Security in an AI world must be at runtime – constantly re-verifying the Non-Human’s or Human’s identity based on subtle signals without interrupting their workflow.
Establishing a national standard for how AI agents are registered and tracked must be embraced. If we cannot identify the ‘owner’ of an autonomous process, we cannot hold the system accountable.
And finally, in 2026, the only effective way to stop a rogue AI or a compromised account is the immediate, automated removal of its digital credentials. Identity is the only remaining off-switch in a decentralised AI ecosystem and governance must be made a priority.
Trust as a strategic asset
The UK’s AI Opportunities Action Plan has given us the tools to compete globally. But, the winners won’t be the ones who deployed the most models – they will be the ones who built the most secure identity fabrics. Looking ahead, we must remember the AI opportunity itself is built on a currency of trust. When you secure the identity, you secure the opportunity.
