While AI tools can enhance teaching and learning, they also pose a risk to human autonomy and creativity, potentially making important decisions or performing tasks that should contribute to student learning. Higher ed needs “to ensure AI supports learning rather than replacing meaningful engagement in the educational experience,” says Isaac Galvan, community program director of cybersecurity and privacy for EDUCAUSE.
The attack surface extends beyond course management to student portals, registration systems, financial aid platforms and advising tools. “AI is outpacing security, and higher ed IT teams are struggling without proper visibility into the tools being used,” says Sandeep Kumbhat, vice president and global field CTO for Okta.
Higher ed leaders are realizing that the agentic AI problem is an identity security problem. “Agentic AI creates an identity and access management challenge because it can blur the line between a human user and a technology acting on that user’s behalf,” Galvan says.
Educators can help address the issue, Callahan says, by requiring in-person essay writing and test taking, or video calls where students hold three fingers in front of their faces to reveal any facial overlay, known as the three-finger test.
DISCOVER: Artificial intelligence tools introduce new risks into higher education environments.
Higher IT leaders can also help by treating agentic AI as the identity and access management challenge that it is. “Viewing agentic AI through an identity lens is critical for long-term success,” Callahan says.
Understanding Agentic AI as an Identity Security Problem
To mitigate AI impersonation, institutions should implement more stringent controls and verification processes to better validate users and their activities. Authentication controls can verify a student’s identity, confirming that the student who’s registered for a course is the same person doing the work.
Higher ed IT leaders need to strengthen identity security “by investing in identity and access management solutions that help verify genuine human presence,” Galvan says.
In addition, behavioral analytics can detect agentic AI by tracking deviations from students’ typical behavior patterns on educational platforms. And instead of unreliable and error-prone AI-detection software that looks only at the content that students produce, network-level signals can help reveal AI impersonation by tracking technical metadata and connection behavior to identify suspicious IP locations, for instance.
Fight fire with fire by leveraging AI to bolster security, Galvan advises. “AI can support predictive pattern analysis of networks and improve monitoring and detection capabilities, allowing institutions to identify anomalies more quickly and accurately,” he says.
LEARN MORE: Identity governance is key for secure artificial intelligence applications.
Higher ed also can discourage student use of agentic AI within its systems by making its tools simpler to use, Callahan says. “Student-facing tools should be easy enough that students don’t want or need to use agents,” he says.
Building Effective Governance Frameworks
Before they rush into adopting any tools, however, higher ed institutions first need an effective AI governance framework.
Institutions need to create a general AI steering committee that brings together the various stakeholder groups to determine institutional AI strategy, Callahan advises. “That’s the first thing to do. It always comes back to people, process and tools — in that order.”
Because rapidly evolving AI systems rely on multiple interconnected data processes and are increasingly embedded across software platforms, institutions must take a collaborative governance approach that involves colleagues from across the organization in decision-making and oversight, Galvan says.
“Schools should think about agentic governance as an extension of their human identity governance,” Kumbhat says. In practice, he explains, such governance can involve certification campaigns timed to semester and enrollment cycles rather than annual reviews, least-privilege access scoped to specific tasks and continuous discovery to catch shadow agents acting outside central IT.
Still, Galvan cautions, higher ed should be wary of governance that’s too rigid. “Governance frameworks must strike a balance between caution and innovation,” he says. “Policies that are too restrictive may generate resentment, stifle innovation or be ignored by stakeholders eager to adopt new technologies.”
