Organizations are cottoning on to the importance of identity security with the arrival of AI agents, new research shows.
According to a survey from Okta, 85% now view Identity and Access Management (IAM) as important to their security posture, up from 79% last year.
Managing AI agent identity is different from managing human user identities, Okta noted.
They lack accountability, have short, dynamic lifespans requiring rapid provisioning and de-provisioning, and rely on various non-human authentication methods like API tokens and cryptographic certificates.
Similarly, they need very specific and granular permissions for limited periods and can access privileged information, while often lacking traceable ownership and consistent logging, complicating post-breach audits and remediation.
As a result, 78% of survey respondents said that controlling access and permissions for non-human identities (NHIs) was their main NHI-related security concern, with 69% similarly worried about lifecycle management, 57% about poor visibility and 53% about remediating risky NHI accounts.
“I’m most concerned about AI systems having too much access without proper controls,” said one Australian C-level executive in healthcare and pharmaceuticals.
"If not carefully managed, they can expose sensitive data or be exploited for attacks. Strong oversight and access control are essential to keep AI secure.”
However, the study found only 10% of organizations have a well-developed strategy for managing NHIs. Fewer than a third (32%) said they always treat digital labor forces with the same degree of governance as human workforces, and only 36% currently have a centralized governance model for AI.
“We are missing a roadmap and are not aligned on how we as a group should implement AI. Some of the team are working as silos, so we do not yet have a cohesive approach to adopting AI.” said one retail VP in France.
Identity security needs strict guardrails
In terms of governance, Okta recommends involving AI project leaders, including data officers, data scientists, and line-of-business leaders.
Security, including visibility, access controls through the entire lifecycle and the ability to detect and respond to threats should be deeply embedded.
Enterprises are also advised to implement a secure-by-design approach, including user authentication, API access controls, asynchronous workflows, and authorization for Retrieval Augmented Generation (RAG).
"Treat your digital labor forces with the same degree of governance as human workforces,” Okta said.
“Just as contractors, consultants, vendors, partners, and other members of your extended workforce should be subject to the same strict IAM controls as your in-house workforce, so too should the NHIs operating within your IT environment."
The report comes as new research from Silverfort finds the use of NHIs is expected to grow by 29% over the next 12-to-18 months, with 87% of organizations planning to increase their spending on workforce identity security.
Two-thirds (67%) are either very concerned or concerned about the potential for damage relating to NHIs.
"The truth is, AI agents are not machines, nor are they human. They lie somewhere in between and therefore need to be treated as their own category of identity," said the firm.
"An AI agent security solution needs to address these concerns, so every AI agent is tied to a human and has the proper policies in place to prevent (and detect) improper activity."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How to implement identity and access management (IAM) effectively in your business
- Machine identity attacks will be top of mind for security leaders in 2025
- Palo Alto Networks eyes identity security gains with huge CyberArk acquisition
-
Microsoft says these 10 jobs are at highest risk of being upended by AINews Microsoft thinks AI is going to destroy jobs across a range of industries – while experts aren't fully convinced, maybe it's time to start preparing.
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victimsNews The Akira and Lynx ransomware groups are focusing on small businesses and MSPs using stolen or purchased admin credentials
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at riskNews While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
-
Credential theft has surged 160% in 2025News AI-powered phishing and the growth of Malware as a Service means hackers are compromising more accounts than ever
-
US federal judiciary agency hit by 'escalated cyber attacks' which exposed highly sensitive dataNews The agency says it plans to step up cybersecurity capabilities in the wake of the incident
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
