Identity + AI
Identity + AI
Breach Architecture and Competitive Gap
The Trust Boundary That Wasn't
ShinyHunters didn't breach 8,809 institutions one by one. They crossed a trust boundary between Instructure's Free-For-Teacher accounts and production Canvas tenants, a boundary that existed only as architectural assumption. The forensic lesson lives in the remediation: every institution that rotated Canvas API keys and OAuth tokens in May 2026 performed, under duress, the NHI lifecycle management operation that should have been routine. They discovered their own credential inventory by breaking it.
8,809 Institutions Rotated Their Canvas Tokens. Who Governs Them Now?
Those rotated Canvas tokens got replaced with credentials carrying identical properties: refresh tokens that persist indefinitely, mobile tokens that never expire, LTI keys that outlast the people who created them. Microsoft shipped Entra Agent ID to general availability the same week Instructure detected the breach. This piece assesses what Agent ID actually governs, what licensing it requires, what it cannot reach, and why the credential surfaces the breach just exposed sit outside Microsoft's current perimeter.
Breach Tier Qualification
8,809 institutions got the same breach notification. Your next move at each one should not be the same.
At R1s with NSPM-33 obligations or Canvas AI teaching agent deployments: deploy the full AI governance argument. Credential rotation opens the door; the ungoverned NHI surface is the room behind it.
At mid-size institutions running Canvas AI integrations without formal governance processes: start with credential rotation, then expand to "what else is ungoverned?"
At community colleges with minimal AI adoption: lead with operational pain. The breach earns you the meeting. Don't overplay it.
After the Rotation — The Campus Identity Exposure Canvas Remediation Made Visible
Your buyer's team just finished rotating Canvas credentials integration by integration. No bulk tooling. No complete inventory. They found OAuth tokens for tools nobody remembered approving and developer keys tied to staff who left two years ago. That was one system. The exposure rotation made visible extends through every AI integration, advising platform, and research cluster minting credentials the institution has never inventoried. This piece traces that chain and delivers tier-qualified discovery questions that let the buyer name the governance gap before you do.
After the Rotation — The Campus Identity Exposure Canvas Remediation Made Visible
Your buyer's team just finished rotating Canvas credentials integration by integration. No bulk tooling. No complete inventory. They found OAuth tokens for tools nobody remembered approving and developer keys tied to staff who left two years ago. That was one system. The exposure rotation made visible extends through every AI integration, advising platform, and research cluster minting credentials the institution has never inventoried. This piece traces that chain and delivers tier-qualified discovery questions that let the buyer name the governance gap before you do.
NHI Statistics Reference
No public research documents campus-specific NHI ratios. Every figure below is enterprise-wide. Directionally applicable at institutions with extensive research computing and SaaS integration. Do not cite as campus averages. Overstating the number at a small institution costs credibility at the moment it matters most.
144:1 NHI-to-human ratio. Entro Labs, NHI and Secrets Risk Report H1 2025. Cloud-native and DevOps environments. Campus ratios undocumented, likely lower.
92:1 NHI-to-human ratio. Entro Security, 2025 State of Non-Human Identities. Enterprise environments broadly. Same vendor as above, different report scope and measurement baseline. The safer figure when buyer trust is on the line.
External Reading
