Agent identity governance can't keeping up with adoption rates – and it’s creating a security nightmare

Non‑human and AI identities are multiplying faster than organizations can secure them, new research warns, and giving AI systems real decision-making power is leaving them wide open to security risks.

More than three-quarters (76%) of organizations surveyed for the 2026 SANS Identity Threats & Defences Survey reported growth in the use of non‑human identities (NHIs) such as service accounts, API keys, automation bots, and workload identities.

The number of identities has quietly doubled or tripled – not because firms have more employees, but because machine‑to‑machine processes now underpin core business operations.

Governance practices have failed to keep pace, however. Indeed, among the three-quarters of organizations that are already using AI agents that require credentials, 5% of security leaders don’t even know if agentic AI is running in their environment or not.

While credential rotation remains a basic defence against long-term compromise, 92% of organizations are failing to carry it out on a 90-day cycle, creating a “forever access” problem.

Meanwhile, 15% admit they don’t even know their machine credential rotation rate, and 59% rotate fewer than half of their NHI credentials quarterly.

The reason for this is often fear that changing machine credentials can break service accounts and lead to downtime, according to SANS.

This, the firm said, encourages teams to prioritize system availability over credential hygiene – leaving high-privilege keys unchanged for months or years.

Structural identity problems are growing

There's also a structural problem, according to SANS. Many organizations still rely on human‑centric processes, such as manual access reviews, ticket‑based provisioning, and periodic rotation.

Crucially, these processes don’t scale to environments with large volumes of continuously authenticating machine identities across cloud, DevOps, and SaaS systems.

While controls such as secrets vaults, automated rotation, and scoped least‑privilege access are increasingly being used, they need to be scaled to match the growth of NHIs.

Agentic AI identities are a big problem

Agentic AI is creating a perilous situation for security teams, SANS warned. Nearly three-quarters (74%) of organizations are deploying AI systems that require credentials and access permissions to operate autonomously, often interacting directly with critical infrastructure and data.

Unlike traditional NHIs, which follow fixed logic, agents interpret instructions and can take unpredictable, non-deterministic actions. This effectively grants them privileged access across environments, with the potential to escalate errors or hallucinate actions.

Despite this though, no single safeguard – approvals, sandboxing, or audit trails – is used by more than 40% of organizations.

“Organizations are giving AI systems real decision‑making power faster than they’re building the governance to control it. We’ve already seen what happens when non‑human identities scale without guardrails, and agentic AI is moving even faster,” said Richard Greene, certified instructor at SANS Institute.

"The early signs of governance are encouraging – nearly four in ten organizations have now use human in-the-loop approvals for AI agent actions – but the real challenge is staying ahead of these systems as they shift from pilots to core operations."

Organizations are at least starting to cotton on to the threat, with recent research from Okta revealing that 85% now view Identity and Access Management (IAM) as important to their security posture, up from 79% last year.

More than three-quarters (78%) of respondents said that controlling access and permissions for NHIs was their main security concern.

According to Cisco's 2026 Data and Privacy Benchmark Study, virtually all organizations are expanding privacy programs and governance frameworks, with AI the main reason for 90%.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.