The pace of AI agent adoption is nearly ten times faster than the development of governance strategies. The study shows that while the vast majority of organizations—about 91%—are using AI agents, only around 10% have formal strategies in place to manage these non-human identities effectively.
This is a current issue requiring immediate attention.
In cases lacking proper governance, I often see:
💡 AI agents operating with credentials that never get rotated.
💡 Access permissions granted broadly just to ensure things work.
💡 No comprehensive inventory of AI agents or clear offboarding when projects conclude.
These gaps introduce distinct risks—AI agents can become key attack vectors, with breaches occurring at machine speed and evading alerts tuned to human behavior.
Looking ahead to 2026:
- How many AI agents currently have access to your systems?
- What process is in place to offboard AI agents when initiatives end?
- Which role owns governance of AI identities within your organisation?
Moving beyond a human-only IAM focus to managing the full lifecycle of AI agents is an important step forward for security.
I’m interested in hearing how others are approaching AI identity governance and the challenges you’re facing.