AI adoption hits 99.6%, but identity governance is lagging

At a glance

What this is: JumpCloud’s Q3 IT Trends 2025 report says AI adoption is now near-universal, with strong use in support and security workflows.

Why it matters: For IAM teams, the report is a warning that AI is becoming a routine identity and access dependency faster than governance models are adapting.

By the numbers:

• AI adoption has surged to 99.6% among the companies surveyed, up from 86.8% in the previous findings.
• Helpdesk and chatbots account for 68% of AI use cases in the report.
• Security threat detection accounts for 67% of AI use cases in the report.

👉 Read JumpCloud's Q3 IT Trends 2025 report on AI adoption and use cases

Context

AI adoption is now a governance problem as much as a technology trend. When nearly every organisation is deploying AI, the question for identity teams is no longer whether AI exists in the environment, but which identities, permissions, and workflows it now touches.

For IAM, NHI, and lifecycle teams, the practical issue is that AI is increasingly embedded in support, security, and analytics workflows that depend on access to data and systems. That makes entitlement scope, review cadence, and approval boundaries central controls rather than after-the-fact checks.

Key questions

Q: How should security teams govern AI workflows that depend on service accounts and API keys?

A: Security teams should treat each AI workflow as a governed access path, not just an application feature. Document the identities it uses, the systems it can reach, and the owner responsible for approval, rotation, and offboarding. If the workflow has no lifecycle owner, it is already outside effective governance.

Q: Why do AI deployments increase NHI governance pressure?

A: AI deployments increase NHI governance pressure because every integration typically introduces credentials, delegated access, and trust relationships that outlive the initial use case. Without lifecycle controls, those identities accumulate into hidden standing privilege, which is harder to review than the AI feature itself.

Q: How can organisations tell whether AI is creating access risk?

A: Organisations should look for AI systems that can reach production data, security tools, or administrative workflows through persistent credentials. A growing count of service accounts, unclear ownership, or missing rotation evidence usually means the AI programme is expanding identity risk faster than it is controlling it.

Q: What should IAM teams do when AI moves into operational decision-making?

A: IAM teams should classify AI-enabled decision paths as privileged workflows and require auditability, ownership, and review triggers before production use. If AI recommendations can affect access, containment, or service operations, the identity programme must govern the permissions behind those actions, not just the interface.

Technical breakdown

AI access patterns and identity scope

AI tools rarely operate in isolation. In enterprise environments they are often connected to ticketing systems, security telemetry, chat workflows, and internal data sources, which means their value depends on delegated access. That access may be human-granted, service-account-based, or embedded in platform integrations, but in each case it expands the identity surface. The governance challenge is not merely usage volume. It is the fact that AI-driven workflows can move across systems faster than traditional entitlement review cycles were designed to track.

Practical implication: map every AI workflow to the identities and permissions it depends on, then review those entitlements as you would any other production access path.

Security threat detection and AI-enabled control loops

Using AI for threat detection changes the control loop, not just the interface. AI can reduce alert fatigue, correlate signals faster, and prioritise investigations, but it also becomes part of the decision chain that influences access containment and incident response. That means the quality of the underlying data, the permissions feeding the model, and the trust placed in model output all matter. If AI recommendations are acting on privileged security workflows, the model is effectively influencing identity and control decisions at scale.

Practical implication: separate AI-assisted detection from automated enforcement until you can prove the data, permissions, and escalation path are tightly governed.

Why AI adoption raises NHI governance pressure

As organisations embed AI into business workflows, the associated machine identities, API keys, service accounts, and tokens become part of the core operating model. This is where NHI governance becomes inseparable from AI strategy. Every new AI integration usually introduces another credential, another trust relationship, and another potential failure in offboarding or rotation. The more broadly AI is adopted, the more likely it is that identity sprawl, not model quality, becomes the hidden constraint.

Practical implication: treat AI rollout plans as NHI expansion plans and require lifecycle ownership before production use.

NHI Mgmt Group analysis

AI adoption at 99.6% means identity governance is now a baseline control issue. When AI is present in almost every surveyed organisation, the relevant question shifts from experimentation to control coverage. IAM and NHI programmes have to assume AI is already inside operational workflows, which makes entitlement review, secret handling, and approval boundaries part of standard governance. The practitioner conclusion is simple: AI can no longer be treated as an adjacent innovation track.

Helpdesk and security use cases show that AI is entering decision-bearing workflows, not just productivity tasks. A chatbot is not just an interface if it can reach customer records, internal knowledge, or incident tooling. Once AI helps prioritize threats or service requests, it influences operational decisions that previously sat with humans or tightly controlled systems. The practitioner conclusion is that access scope and auditability matter more than adoption volume.

NHI sprawl is the hidden cost of AI operationalisation. Every integration that lets AI touch data or systems usually introduces machine identities, tokens, and service accounts that must be owned, scoped, and retired. This is where governance debt accumulates, because the business sees a feature while the identity programme inherits a growing set of standing trusts. The practitioner conclusion is that AI strategy and NHI lifecycle management now need a shared operating model.

AI governance cannot succeed if identity teams stay downstream of deployment decisions. The report’s adoption numbers indicate that business pressure is already pushing AI into core workflows. That means identity, security, and infrastructure teams need to define approval patterns, ownership, and review triggers before the platform expands further. The practitioner conclusion is that AI governance must be designed into the rollout path, not appended after the fact.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• The 2026 Infrastructure Identity Survey shows that 70% of organisations grant AI systems more access than they would give a human employee doing the same job.

What this signals

Identity teams should expect AI adoption to outpace policy design unless governance is forced into the rollout model. The report’s near-universal adoption figure shows that the control problem is no longer theoretical. For practitioners, the useful signal is not volume of AI use but whether each use case has named identity ownership, review triggers, and an offboarding path tied to the credential layer.

NHI sprawl is becoming the default by-product of AI enablement. As AI is embedded into support, analytics, and security workflows, the organisation is not just buying a capability. It is creating new machine identities and trust relationships that need lifecycle management from day one. Teams that do not track those dependencies will inherit unmanaged access by design.

With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the governance gap is structural, not cosmetic. That pattern tells security leaders that AI privilege is being set by convenience rather than by risk. The practical response is to re-baseline entitlement decisions around task scope, not around the novelty of the technology.

For practitioners

• Map AI workflows to identity dependencies Inventory every AI-enabled workflow, then identify the human users, service accounts, API keys, and tokens that make it function. Record which data sources and systems each workflow can reach, and assign a named owner for approval, review, and retirement.
• Require lifecycle ownership for AI-connected credentials Tie every AI integration to an explicit joiner, mover, leaver process for its associated credentials. Define who rotates secrets, who approves privilege changes, and who removes access when the workflow is retired or repurposed.
• Separate AI assistance from automatic enforcement Allow AI to assist with prioritisation or correlation before it can drive enforcement actions. Keep human approval in the loop for access changes, containment actions, and privileged operational steps until audit evidence proves the workflow is reliable.
• Review AI security use cases as privileged workflows Treat AI used for threat detection as part of the security control plane, not a passive dashboard. Validate the inputs it reads, the outputs it can trigger, and the downstream systems it can influence before extending its scope.

Key takeaways

• AI adoption has become so widespread that identity governance now matters more than adoption metrics.
• The main risk is not AI usage itself but the credentials, privileges, and trust chains attached to it.
• IAM, NHI, and security teams need shared ownership of AI-enabled workflows before they become permanent access paths.

Key terms

• AI-enabled workflow: A business process that uses AI to assist or perform a task inside an operational system. In identity terms, it matters because the workflow often relies on delegated access, shared data sources, and machine credentials that must be owned, reviewed, and retired like any other production access path.
• Machine identity: A non-human identity used by software, services, or integrations to authenticate and access systems. It includes service accounts, tokens, API keys, and certificates. For AI programmes, machine identity is the control layer that determines what the AI can reach, change, or expose.
• Identity governance: The discipline of deciding who or what should have access, who approves it, and how that access is reviewed over time. For AI deployments, it extends beyond users to machine identities, workflow permissions, and offboarding obligations that can otherwise remain hidden.
• Privileged workflow: A workflow that can influence sensitive systems, data, or operational outcomes. In an AI context, it is privileged not because the model is clever, but because its outputs or integrations can trigger actions that affect access, security, or infrastructure state.

Deepen your knowledge

NHI governance, agentic AI identity, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy, it is a practical place to build shared baseline understanding.

This post draws on content published by JumpCloud: Q3 IT Trends 2025 report on AI adoption. Read the original.