Agent identity governance can't keeping up with adoption rates – and it’s creating a security nightmare
Enterprises are leaving high-privilege keys unchanged for months or years at a time
Non‑human and AI identities are multiplying faster than organizations can secure them, new research warns, and giving AI systems real decision-making power is leaving them wide open to security risks.
More than three-quarters (76%) of organizations surveyed for the 2026 SANS Identity Threats & Defences Survey reported growth in the use of non‑human identities (NHIs) such as service accounts, API keys, automation bots, and workload identities.
The number of identities has quietly doubled or tripled – not because firms have more employees, but because machine‑to‑machine processes now underpin core business operations.
Governance practices have failed to keep pace, however. Indeed, among the three-quarters of organizations that are already using AI agents that require credentials, 5% of security leaders don’t even know if agentic AI is running in their environment or not.
While credential rotation remains a basic defence against long-term compromise, 92% of organizations are failing to carry it out on a 90-day cycle, creating a “forever access” problem.
Meanwhile, 15% admit they don’t even know their machine credential rotation rate, and 59% rotate fewer than half of their NHI credentials quarterly.
The reason for this is often fear that changing machine credentials can break service accounts and lead to downtime, according to SANS.
This, the firm said, encourages teams to prioritize system availability over credential hygiene – leaving high-privilege keys unchanged for months or years.
Structural identity problems are growing
There's also a structural problem, according to SANS. Many organizations still rely on human‑centric processes, such as manual access reviews, ticket‑based provisioning, and periodic rotation.
Crucially, these processes don’t scale to environments with large volumes of continuously authenticating machine identities across cloud, DevOps, and SaaS systems.
While controls such as secrets vaults, automated rotation, and scoped least‑privilege access are increasingly being used, they need to be scaled to match the growth of NHIs.
Agentic AI identities are a big problem
Agentic AI is creating a perilous situation for security teams, SANS warned. Nearly three-quarters (74%) of organizations are deploying AI systems that require credentials and access permissions to operate autonomously, often interacting directly with critical infrastructure and data.
Unlike traditional NHIs, which follow fixed logic, agents interpret instructions and can take unpredictable, non-deterministic actions. This effectively grants them privileged access across environments, with the potential to escalate errors or hallucinate actions.
Despite this though, no single safeguard – approvals, sandboxing, or audit trails – is used by more than 40% of organizations.
“Organizations are giving AI systems real decision‑making power faster than they’re building the governance to control it. We’ve already seen what happens when non‑human identities scale without guardrails, and agentic AI is moving even faster,” said Richard Greene, certified instructor at SANS Institute.
"The early signs of governance are encouraging – nearly four in ten organizations have now use human in-the-loop approvals for AI agent actions – but the real challenge is staying ahead of these systems as they shift from pilots to core operations."
Organizations are at least starting to cotton on to the threat, with recent research from Okta revealing that 85% now view Identity and Access Management (IAM) as important to their security posture, up from 79% last year.
More than three-quarters (78%) of respondents said that controlling access and permissions for NHIs was their main security concern.
According to Cisco's 2026 Data and Privacy Benchmark Study, virtually all organizations are expanding privacy programs and governance frameworks, with AI the main reason for 90%.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
‘Most organizations are losing ground’: Identity security risks are skyrocketing, and enterprises can’t keep upNews Most organizations are being hit at least once a year, and experts warn incidents are accelerating
-
Five Eyes agencies sound alarm over risky agentic AI deploymentsNews Security agencies have urged organizations to establish clear boundaries and guardrails for AI agents
-
Enterprises are adopting agents faster than they can secure and govern them – experts warn it’s a disaster waiting to happenNews Identity systems developed for human interaction fail to cope with the new demands
-
UK firms left in the dark over what workers are sharing with AINews Security teams can’t keep track of what workers are sharing with AI applications, regardless of whether they’re approved or unauthorized
-
'The goal for this year will be to automate all security processes': Google Cloud is betting on Wiz to usher in a new era of AI securityNews Wiz wants to deploy its agents for continuous penetration testing, and in Google it’s found a parent company that can achieve this vision at scale
-
AI is now a ‘standard part of the attacker toolkit’News Cyber attacks are increasing in scale, intensity, and velocity thanks to AI, and it’s forcing defenders to react faster than ever before
-
Systems are deterministic, people are probabilistic – AI is both, and that's a headache for cyber teamsNews AI combines both the risks associated with IT systems and the people using them, creating headaches for practitioners
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
