Agentic AI is already reshaping work and security governance

At a glance

What this is: This analysis argues that agentic AI, not AGI, is the nearer-term force changing work, security, and identity governance.

Why it matters: IAM and NHI teams need to treat AI agents as governed identities with privileges, oversight, and lifecycle controls before they scale beyond policy.

By the numbers:

• Project Iceberg indicates current AI systems can perform work equivalent to 11.7% of the U.S. labor wage value, or about $1.2 trillion across 923 occupations.
• 40 percent of financial and software companies have already deployed agentic AI systems, and deployments are expected to double by 2028.
• The Iceberg Index suggests the most visible aspects of AI exposure account for only 2.2% of wage value in tech-heavy U.S. coastal areas.

👉 Read CyberArk's analysis of how agentic AI is reshaping work and security

Context

Agentic AI changes the governance problem because it can plan, act, and complete multi-step tasks with limited human prompting. For IAM and NHI practitioners, that means the control question is no longer whether AI can assist work, but which autonomous systems are being granted execution authority, data access, and policy-bounded privileges.

CyberArk uses Project Iceberg and AI 2027 to argue that this shift is already underway, not a distant theoretical step. The context for security leaders is straightforward: as AI agents take on work, identity, access, and oversight models must adapt to software that behaves like an operational actor rather than a passive tool.

The starting position described here is typical of many enterprises: experimentation has moved ahead of governance. That mismatch is now visible in security operations, workflow automation, and decision support, where agentic systems are being introduced faster than identity controls are being redesigned.

Key questions

Q: How should security teams govern AI agents that can take actions on their own?

A: Treat every AI agent as a non-human identity with an owner, a bounded purpose, and revocable privileges. Require task-scoped access, logging, and explicit approval for high-risk actions. Governance should cover onboarding, monitoring, rotation, and offboarding, because autonomous systems create access risk throughout their lifecycle, not only at deployment.

Q: Why do AI agents complicate zero trust architecture?

A: AI agents complicate zero trust because they can make repeated, context-driven requests while carrying credentials across systems. Zero trust still applies, but the trust boundary shifts from device-only checks to continuous verification of identity, privilege, and action intent. Teams need policy gates for each step an agent takes, not just one login event.

Q: What is the difference between agentic AI governance and traditional automation governance?

A: Traditional automation governance assumes a fixed script with predictable inputs and outputs. Agentic AI governance must control a system that can plan, adapt, and choose different execution paths. That means identity scoping, approval rules, and audit trails matter more, because the same agent may behave differently across similar tasks.

Q: When does AI agent use create more risk than it reduces?

A: Risk rises when the agent can reach multiple systems, hold standing credentials, or take irreversible actions without human review. If the control model cannot answer who owns the agent, what it can touch, and how it is retired, the organization has introduced automation faster than it has introduced governance.

Technical breakdown

Why agentic AI creates a new identity and privilege model

Agentic AI differs from ordinary automation because it can plan a sequence of actions, invoke tools, and adapt its next step based on prior output. That makes it closer to a delegated actor than a static application. From an IAM and NHI perspective, the key issue is that an agent often needs credentials, scoped permissions, and auditability to operate, yet its behavior may vary by context. Traditional app trust models assume a known code path, while agentic systems can branch, retry, or chain actions. That expands the attack surface around tool access, prompt manipulation, and overbroad delegation.

Practical implication: Practitioners should classify every agent as a governed non-human identity with explicit scope, logging, and revocation controls.

How agentic workflows change security operations and containment

The article points to agents ingesting identity, cloud, endpoint, and threat intelligence signals, then taking predefined containment actions. Technically, that means agentic AI is being inserted into decision loops that were once reserved for human analysts. This creates a control problem around policy thresholds, action authorization, and exception handling. If an agent can triage, correlate, and trigger response steps, then the organization must define where automation stops and human approval begins. Otherwise, the environment risks accelerating both response and error at machine speed.

Practical implication: Security teams need explicit action gates for any containment step that touches credentials, access changes, or customer-facing systems.

Why governance must follow the lifecycle of autonomous systems

The article frames governance as an ongoing requirement, which is the right model. Agentic systems have a lifecycle: provisioning, configuration, privilege assignment, monitoring, change control, and retirement. Each stage can fail differently. A mis-scoped onboarding decision can create standing access. A stale integration can retain tokens after the workflow changes. A missing offboarding step can leave a dormant agent with active authority. That is why identity governance for agents must be continuous rather than project-based, and why access reviews need to include machine identities alongside human ones.

Practical implication: Teams should extend lifecycle governance to agents the same way they already do for service accounts and other NHI classes.

Threat narrative

Attacker objective: The attacker objective is to hijack or abuse an autonomous agent so it can execute privileged actions at machine speed.

1. Entry via an AI agent or workflow that receives broad tool access without sufficient identity scoping.
2. Escalation when the agent inherits permissions across identity, cloud, and endpoint systems and can chain actions across them.
3. Impact when autonomous actions trigger containment, data movement, or workflow changes faster than human oversight can intervene.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI is becoming an identity governance problem before it becomes a labour economics problem. The article is right to focus on autonomy rather than abstract intelligence thresholds. For security teams, the immediate issue is not whether AI can think like a person, but whether it can act with enough authority to create material business risk. That makes identity, privilege, and auditability the decisive controls, not model size or benchmark scores. The practitioner conclusion is to govern agentic systems as operational identities now.

Ephemeral capability does not remove trust debt. An agent that can assemble actions on demand still carries persistent risk if its permissions, tokens, and tool access outlive the task. That creates a trust debt problem in NHI programs: the environment looks dynamic, but the underlying access can remain sticky. The article implicitly shows why speed of execution is not the same as safe delegation. Practitioners should treat every autonomous workflow as a lifecycle-managed identity with explicit retirement.

Identity blast radius is the right metric for agentic AI risk. When agents can touch multiple systems, a single compromise can propagate across data, cloud, and response tooling. That is a broader control issue than simple misuse of one credential because the agent becomes a bridge between domains. The article points toward the need for narrower scopes, stronger approval gates, and better runtime visibility. The practitioner conclusion is to measure how far one agent can move, not just whether it can log in.

Workforce transformation and security transformation are converging on the same control plane. The article treats work redesign and security governance as linked, which is the correct framing. If humans move toward judgment and orchestration while agents handle execution, then access policy must reflect that split. The field needs models that distinguish human intent from machine action without assuming one can safely substitute for the other. Practitioners should redesign governance around shared human-agent workflows, not isolated automation projects.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a broader control baseline, Top 10 NHI Issues shows where NHI programs most often fail before agentic workloads are added.

What this signals

Ephemeral automation still creates persistent governance pressure. Even when an agent only runs for a short task window, its permissions, data paths, and approval hooks can outlive the action itself. That is why agent governance should be built into the same operating model used for service accounts and other machine identities, with continuous review rather than one-time approval.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the control gap is already structural. Agentic AI increases the number of places where those credentials can be copied, passed, or reused, so teams should tighten secret distribution before they expand autonomous workflows.

Identity blast radius: the practical measure of how far a compromised agent can move across systems and data. If an autonomous workflow can touch cloud, identity, and response tooling from a single set of credentials, the program needs narrower scopes and stronger step-up controls. That is where NIST SP 800-207 Zero Trust Architecture becomes operationally relevant for machine access decisions.

For practitioners

• Define agent identities explicitly Create a registry for every AI agent, workflow bot, and autonomous integration with named owner, purpose, and revoked-by-default access boundaries.
• Scope privileges to task windows Use just-in-time access and short-lived tokens so agents receive only the permissions needed for the current task window.
• Gate high-risk actions behind approval Require human approval for credential changes, privilege escalation, destructive operations, and cross-domain data movement initiated by agents.
• Add lifecycle controls to every agent Review agent onboarding, rotation, monitoring, and offboarding together so dormant automations do not retain live access after workflows change.
• Measure identity blast radius Map which systems each agent can reach, then reduce cross-system reach before expanding agent use into production workflows.

Key takeaways

• Agentic AI changes the security problem from model capability to delegated authority.
• The immediate risk is not hypothetical future intelligence, but present-day identity, privilege, and lifecycle gaps.
• Practitioners should govern AI agents as non-human identities with task-scoped access and explicit retirement paths.

Key terms

• Agentic AI: Agentic AI is software that can plan, decide, and execute multi-step tasks with limited human prompting. In security terms, it behaves less like a static application and more like a delegated actor, which means it needs identity, privilege, monitoring, and revocation controls across its full lifecycle.
• Identity Blast Radius: Identity blast radius is the amount of access and system reach a single identity can exercise if it is compromised or misused. For non-human identities, it measures how far a service account, token, or agent can move across cloud, data, and operational systems before controls stop it.
• Task-scoped Access: Task-scoped access is permission granted only for the current job, then removed when the job ends. It is a practical just-in-time pattern for non-human identities and AI agents, reducing standing privilege and limiting the value of stolen credentials or overly broad automation.
• Non-Human Identity: A non-human identity is any machine, workload, service account, token, certificate, bot, or AI agent that authenticates to systems and can be granted access. In governance programs, NHIs require ownership, lifecycle management, privilege control, and monitoring just like human identities, often with greater urgency because they scale faster.

Deepen your knowledge

Agentic AI governance and non-human identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building policy for autonomous systems that act on behalf of the business, it is worth exploring.

This post draws on content published by CyberArk: Beneath the AI iceberg, the forces reshaping work and security. Read the original.