Every new AI agent your organization deploys is a new identity — with credentials, access privileges, and the ability to act on data at machine speed. Most enterprises now have more non-human identities than human employees by a factor of 80. Yet only one in five organizations maintains a real-time registry of active agents, and fewer than a third can trace any given agent action back to the human who authorized it. The org chart has a shadow workforce — large, credentialed, and almost entirely ungoverned.
The Hidden 80:1 Workforce
When a security team talks about managing identities, the mental model is usually a spreadsheet of employees with badges and passwords. That model was already obsolete before AI agents arrived. Service accounts, API keys, CI/CD pipelines, automation bots, and monitoring daemons had quietly outnumbered the human directory — sometimes 10 to 1, sometimes 40 to 1, depending on the organization's cloud footprint. Then generative AI arrived and companies started wiring agents into their internal systems: agents that book calendars, query databases, draft customer communications, and execute code against production APIs. Each one is a new identity. Each carries credentials. Each has some level of privilege.
KPMG's 2026 enterprise security survey puts the current ratio at 80 non-human identities for every human employee. CyberArk's own data lands at 82:1. Neither figure includes the wave of AI agents being spun up this year, which SANS Institute's 2026 survey tracks separately: 74% of organizations are now deploying agents or automations that require credentials, and 76% report that their NHI population has grown — with many saying populations have doubled or tripled in the past eighteen months. The traditional workforce concern about headcount is being eclipsed by a much faster-moving identity problem that most HR systems, IAM platforms, and compliance frameworks were not built to address.
The governance implication is direct. If your human workforce has a hundred employees, you almost certainly have an onboarding checklist, an offboarding checklist, a role-review cadence, and at least some kind of joiner-mover-leaver process. You know who your employees are. For the 8,000 non-human identities running alongside them, the equivalent discipline barely exists — and AI agents, which are being deployed faster and with less institutional friction than any prior class of machine identity, are arriving into this vacuum.
The Registry Gap: "Where Are My Agents?"
In March 2026, Okta's annual Showcase conference framed its core enterprise AI challenge around a deceptively simple question: "Where are my agents?" The premise was not rhetorical. Even companies with sophisticated IAM programs — companies that had invested heavily in zero-trust architectures and privileged-access workstations — were discovering that they could not enumerate the agents their own teams had deployed. Developers had created OpenAI-backed summarization agents. Operations teams had wired Claude into internal ticket systems. Sales had connected agents to CRM APIs using individual team members' credentials. None of these deployments went through a formal provisioning process. None had a decommissioning plan.
The data behind the Okta framing is unambiguous. Only about 21% of organizations maintain a real-time registry of active agents — a list that would tell you, at any moment, what agents are running, what credentials they hold, and what systems they can access. Only about 28% can trace an agent action back to a specific human sponsor: the person who authorized the agent's deployment and who is therefore accountable for its behavior. That accountability gap is not just a governance inconvenience. Under an increasing set of regulatory frameworks, being unable to trace an automated action to a human decision-maker is a material compliance failure.
The lifecycle discipline gap is even starker. 78% of organizations have no documented policy for creating or removing AI-agent identities. That means agents get provisioned whenever a team finds it convenient — a few lines of code, a grabbed API key, a broad OAuth grant — and de-provisioning is simply forgotten, often permanently. Service accounts from agents that were retired months ago sit in production directories with full credentials intact, quietly available to anyone who knows to look for them.
Why Non-Human Identities Are the Prime Target
Non-human identities are attractive targets for three structural reasons that have nothing to do with AI. First, they typically hold elevated privileges — agents and service accounts are often granted broader access than any individual human would need, because the team that set them up prioritized convenience over least-privilege and no one revisited the grant afterward. Second, they operate with no real-time human oversight: a compromised service account can exfiltrate data or move laterally through a network for hours before triggering an alert, whereas a human taking the same actions on a corporate laptop would be flagged almost immediately by behavioral analytics. Third, their credentials are frequently long-lived — API keys that were created "temporarily" during a launch and never rotated, OAuth tokens with expiries measured in years.
Gartner's 2026 projection sharpens the urgency. The firm expects 40% of enterprise applications to embed task-specific AI agents by end of 2026. If that trajectory holds, the 80:1 ratio is not a ceiling — it is a waypoint. Organizations that have not built the governance infrastructure to manage today's agent population will be structurally unprepared for the wave that arrives next year. And the existing prompt injection vulnerabilities that remain unsolved mean that each new agent identity is also a potential attack surface for adversarial inputs that redirect agent behavior — using the agent's own credentials against your systems.
The Architectural Mismatch: Why Human IAM Fails Agents
The instinctive response to an identity problem is to reach for the identity infrastructure you already have. Roughly half of enterprises currently extend their existing human IAM systems to cover AI agents — the same role-based access control frameworks, the same directory synchronization, the same periodic access reviews that were designed for employees who log in with usernames and passwords. This approach is not wrong as a starting point, but it misses the fundamental way agent access differs from human access.
A human employee is assigned a role — "marketing manager" or "data analyst" — that reflects what they are permitted to do over a career-length engagement with the organization. The role is coarse, it changes slowly, and the access it grants is expected to be continuously available. An AI agent, by contrast, is deployed for a specific task: summarize this set of documents, update these records, query this database. The access it needs is narrow, time-bounded, and should expire the moment the task is complete. Role-based access control, applied to agents, tends to grant standing access designed for humans — access that remains available long after the task ended, even after the agent itself was retired.
"The shift from role-based to intent-based access is the defining architectural change for non-human identity management. Agents need session-scoped credentials tied to a specific task — not persistent roles that outlast the work they were provisioned for."
The fix that emerged from RSAC 2026 and Oasis Security's research is a shift to intent-based access: credentials issued for the declared purpose of a specific task, scoped to exactly the systems that task requires, and revoked automatically when the task completes. This pairs naturally with session-based access models — short-lived tokens rather than long-lived API keys — and with guardrails that verify, at access-grant time, that the agent's stated intent matches the permissions it is requesting. It is a materially different model from human IAM, and it requires tooling purpose-built for agents, not repurposed from a human-identity stack.
Emerging Controls: From Permissions to Intent
The governance playbook for AI agents is still being written, but a coherent set of controls is emerging from the organizations that have moved furthest along the maturity curve. The starting point, almost universally, is the agent registry: a centralized, real-time catalog of every agent running in the environment, with its owner, its credentials, its access scope, and its human sponsor. The registry is not just an audit artifact — it is the precondition for every downstream control, from access review to incident response to de-provisioning. You cannot govern what you cannot enumerate.
The default approach — and why it falls short
- • Coarse role-based access designed for career-length engagement
- • Credentials valid indefinitely unless manually rotated
- • Access reviews quarterly or annually — too slow for agent lifecycles
- • No concept of task-scoped or session-scoped grants
- • De-provisioning requires manual action, often forgotten
- • Audit trails map to agents, not to the humans who authorized them
The architecture built for how agents actually work
- • Intent-based access: credentials scoped to the declared task
- • Session-scoped tokens with automatic expiry on task completion
- • Real-time registry: every agent enumerated with owner, scope, and sponsor
- • Scoped OAuth grants, not broad API keys with org-wide access
- • Human-in-the-loop gates for high-stakes or irreversible actions
- • Shadow-AI detection to surface unofficial agents before they become liabilities
Beyond the registry, the controls that matter most are: scoped OAuth grants instead of broad API keys (a third-party agent should never receive credentials that grant org-wide access when it only needs to read a specific table); human-in-the-loop (HITL) authorization for consequential or irreversible actions; and a shadow-AI detection program that surfaces agents deployed outside official channels before they become a governance liability.
The HITL finding is particularly striking: 61% of US companies now mandate human-in-the-loop review for autonomous agents taking high-stakes actions, according to 2026 enterprise governance surveys. That number has climbed rapidly as early adopters encountered production incidents where agents, operating within their granted permissions, took actions that were technically authorized but operationally catastrophic. Hardware-backed HITL — multi-party approval workflows where consequential agent actions require explicit human sign-off before execution — is being piloted at large financial institutions as a control equivalent to dual-control for wire transfers. When an agent can move money, update records, or send communications at scale, the authorization model should carry the same rigor as the transactions it enables.
The shadow-AI dimension connects directly to the broader unauthorized-tool problem. If an engineer deploys a personal agent using their own credentials and their own API key, that agent operates outside any governance framework while acting on systems the engineer has legitimate access to. We examined how shadow AI tools proliferate inside enterprises despite ban policies, and the agent-identity problem is the elevated version of the same dynamic: not just unauthorized tool usage, but unauthorized agents carrying credentials and taking autonomous actions on enterprise systems with no visibility, traceability, or revocation path.
Regulatory Pressure: The EU AI Act Closes the Loop
Agent governance is moving from a best-practice recommendation to a regulatory requirement. The EU AI Act's August 2026 obligations — the tranche covering high-risk AI system documentation, traceability, and human oversight requirements — directly implicate agent registries. An organization deploying AI agents in high-risk use cases (healthcare, financial services, HR, critical infrastructure) must be able to demonstrate that it knows what agents are operating, what they have access to, and what human decision-maker is responsible for each. Without a real-time registry and a human-sponsor mapping, that demonstration is impossible.
The Act's traceability requirements make the accountability chain structural. It is not sufficient to say "we have agents running but we're managing them carefully." The regulation requires documented evidence of that management: creation records, access logs, audit trails linking agent actions to the humans who authorized the agent's deployment, and de-provisioning records when an agent is retired. Organizations that have not built this infrastructure by August 2026 face compliance exposure at exactly the moment when their agent deployments are accelerating fastest.
For a detailed account of what the August 2026 obligations require in practice — the EU AI Act's agentic governance requirements are more operationally specific than most legal and engineering teams realize, and the documentation gap between what organizations currently produce and what the regulation demands is significant. An agent registry is not optional under these rules; it is the foundational artifact every other compliance demonstration depends on.
The 92% Problem: Attestation Governance Is Dead
The defining data point for where this problem is heading comes from a 2026 survey of technology executives: 92% say managing AI agents will be the defining security skill of the next five years. That consensus is remarkable given how recently the agent-identity problem emerged as a distinct discipline. It reflects something the security industry learned the hard way from cloud adoption: when a new class of compute arrives at velocity, the governance models that worked for the previous class do not simply stretch to cover it. They break. The enterprises that learned this lesson in the cloud era spent years unwinding sprawl, reclaiming over-permissioned service accounts, and building the automation needed to govern at machine scale. Those that did not are still paying for it in audit findings and incident reports.
The traditional governance response to any new risk is attestation: have humans certify, on some periodic schedule, that the access they see in a report is correct. Quarterly access reviews. Annual role certifications. A spreadsheet sent to a manager who checks "yes, still valid" on eighty identities without looking at any of them. This model fails for human identities at scale. It fails completely for agents. An agent can be deployed, used, and become a liability in the space between two quarterly reviews. An attestation process that certifies access as "valid" because a manager did not have the context to flag it is not a control — it is a compliance checkbox that creates the illusion of governance without the substance.
"92% of tech executives say managing AI agent identities will be the defining security challenge of the next five years. The organizations that build a real registry, enforce session-scoped access, and wire in human authorization gates now will not be scrambling to reconstruct governance after an incident."
What replaces attestation is automated lifecycle management: agent registration at deployment, credential issuance through a managed vault, access scoped to declared intent, automatic token expiry tied to task completion, and revocation workflows that fire when a sponsor leaves the organization, when an agent is retired, or when an anomaly detection system flags unusual behavior. The tooling for this — purpose-built NHI vaults, agent-aware PAM systems, session-based OAuth frameworks — is available today. The gap is not technology; it is organizational will to apply it before an incident forces the issue.
The organizations winning on agent security right now share a common posture: they treat each new agent deployment as a security event, not a developer convenience. Every agent gets a record in the registry, a named human sponsor, a defined access scope, and a documented reason for existing. The process takes minutes with the right tooling. The cost of skipping it — a credential compromise that propagates through every system the agent touched, a compliance finding that requires a forensic reconstruction of actions that were never logged, a regulatory exposure under the EU AI Act's August obligations — is measured in weeks of incident response and months of remediation. The 80:1 ratio is already here. The governance gap is a choice, not a constraint.
Tags
Share
Building something like this? See how we ship it or start a project.