Copyright Fast Company
Technology is now a foundation of running a business, but it introduces complexity and security issues. This can be even harder to track when introducing agentic AI bots working across systems and the organization, without an individual necessarily tracking it. Employees also set up logins and workflows, but eventually leave the company. This results in ghost accounts—no one knows who is responsible for them. Security problems then can pop up at inopportune times. Below, Fast Company Executive Board members share their perspectives on how business owners can mitigate security concerns by taking action, immediately and over the long term. 1. INVENTORY HUMAN USERS, LOGINS, AND AI AGENTS. The first step is always visibility. You can’t protect what you don’t know exists. You need a complete inventory of human users, legacy logins, and increasingly, AI agents acting across systems. It’s critical to assign ownership and review access paths regularly. Without clarity on who or what is acting on your behalf, you can’t secure anything effectively. –Unnat Bak,Revscale AI™ 2. GET HUMANS IN THE LOOP. One of the first steps is to absolutely get humans in the loop. Keep customers informed about potential signals of risks to their data so they can engaged in defensive behaviors. Educate employees about the latest scams and risks so they always remain hyperaware. Treat any invasion as a human + tech problem. –Amy Radin,Pragmatic Innovation Partners LLC Subscribe to the Daily newsletter.Fast Company's trending stories delivered to you every day Privacy Policy | Fast Company Newsletters 3. PULL BACK ON CUSTOMER-FACING AI. We’ve started pulling back on AI in anything customer-facing. If it doesn’t sound like something a real person would say, it probably shouldn’t be out there. What we gain in efficiency, we lose in CX and retention when we overuse AI. –Travis Schreiber,erase.com 4. OWNERSHIP AND INVENTORY. Start with ownership and inventory. Run automated identity discovery across IdP, cloud IAM, SaaS, code repos, and secrets vaults to list every account. Tag human versus service, assign owner and purpose, and auto-quarantine anything unowned: disable login, revoke tokens/keys, rotate creds. Then enforce least privilege, short-lived creds, MFA, and JML automation. Audit exceptions; review quarterly; log. –Shashank Chaurasia,MooresLabAI 5. AUDIT ALL ACCOUNTS. Audit all accounts for ownership, access, and activity. Revoke credentials tied to unknown, former, or nonhuman users, treating each as a potential vulnerability. Once secured, change passwords across both affected and unaffected accounts. Then communicate openly with colleagues about the situation and encourage them to update their credentials. A proactive cleanup now prevents breaches later. –Evan Nierman,Red Banyan 6. IDENTIFY AND DISABLE SUSPICIOUS ACCOUNTS. The first step is to perform an urgent identity audit: identify and disable inactive, orphaned, or suspicious accounts. This containment reduces risk immediately. From there, validate ownership, enforce multifactor authentication (MFA), and reissue credentials only where needed, ensuring all accounts—especially service ones—map to a responsible owner with clear oversight. –Maria Alonso,Fortune 206 7. UNDERSTAND USERS. Start by making a list of all the accounts and who uses them. Close or reset any account that belongs to someone who has left or isn’t a real person. Update passwords and add two-factor authentication so only real people can get in. Watch for strange activity. –Chris Dyer,Leadership Speaker 8. SEE WHAT’S ACTIVE. I advise treating accounts the same way we treat software licenses. We run quarterly audits to see what’s active, what’s actually being used, and what may have been abandoned. This simple discipline prevents ghost accounts from piling up, keeps ownership clear, and strengthens security—especially as AI agents and old service accounts slip into the mix. –Goran Paun,ArtVersion advertisement 9. REVOKE UNNECESSARY ACCESS. The first step is to run a full audit of all accounts to identify inactive, duplicate, or suspicious ones. From there, revoke unnecessary access and enforce strict authentication. Establishing clear ownership for every account ensures accountability, reduces security gaps, and protects against misuse by AI or former employees. –Boris Dzhingarov,ESBO ltd 10. SUSPEND SUSPICIOUS ACCOUNTS. The first step is to immediately audit all accounts, disable or suspend suspicious or unused ones, and revoke access tied to former employees. Implement multifactor authentication, strict role-based access, and logging to track activity. Quick containment prevents misuse while setting up stronger identity and access management controls for the future. –Stephen Nalley,Black Briar Advisors 11. CHECK FOR ORPHANED ACCOUNTS. The first step is a full access audit. You need to identify every orphaned, AI-driven, or abandoned account and reassign ownership. Enforce MFA where possible. Without visibility, you’re blind to risks. Mapping accounts to real, accountable humans creates the foundation for stronger controls, least-privilege access, and preventing shadow identities from running unchecked. –Volen Vulkov,Enhancv 12. QUARANTINE PROBLEMATIC ACCOUNTS. The first step is to quarantine and isolate these accounts immediately. Stop all nonessential access, flag unusual activity, and document every interaction. Once contained, conduct a risk assessment to determine which accounts are truly needed, retire redundant ones, and implement strict identity verification before any reinstatement. –Gianluca Ferruggia,DesignRush 13. FREEZE FIRST, VERIFY SECOND. Freeze first, verify second, govern third. Until accounts are accounted for and owned, you can’t ensure security. –Britton Bloch,Navy Federal Credit Union
