AI agent governance gaps widen as production use expands

At a glance

What this is: JumpCloud’s research finds AI agents moving into production faster than governance, with broad access, weak oversight, and limited accountability.

Why it matters: It matters because IAM, PAM, and lifecycle teams now have to govern agent identities that can outgrow human-style approval, recertification, and supervision models.

By the numbers:

• 72% of organizations have AI agents in use, but 92% report serious limits in safely scaling their deployments.
• 66% of organizations grant AI agents equal or greater system access than human employees.
• 55% of organizations lack a centralized kill switch to cut AI agent access across all systems.

👉 Read JumpCloud's Agentic IAM Pulse Report on AI agent governance

Context

AI agent governance is the practice of controlling what autonomous software can access, what it can do, and who is accountable when it acts. JumpCloud’s findings show the gap is no longer theoretical: agents are already entering business-critical workflows faster than most identity programmes can define controls for them.

The primary issue for IAM teams is that agent access is being treated like a static entitlement problem when it is really a lifecycle and accountability problem. Once agents reach production with broad access and weak supervision, the same review, approval, and emergency-response models used for human identities stop fitting the operating reality.

Key questions

Q: What breaks when AI agents are granted production access without strong governance?

A: The main failure is that agent privilege grows faster than oversight. When production agents can act across business systems with limited review, organisations lose control over blast radius, accountability, and rapid containment. The result is not just higher risk, but weaker ability to explain, interrupt, or reverse what the agent has already done.

Q: Why do AI agents complicate IAM and PAM programmes?

A: AI agents complicate IAM and PAM because they do not fit a purely human access model and often outpace service-account assumptions. They can require broader runtime permissions than a typical workload, yet still need tighter governance than a normal automation account. That creates a mismatch between entitlement design and operational oversight.

Q: How do security teams know if AI agent governance is actually working?

A: Look for evidence that every production agent has a named owner, a narrow access scope, logged approvals for high-risk actions, and a working revocation path across systems. If any of those are missing, the programme is still relying on trust rather than enforceable control.

Q: Who should be accountable when an AI agent causes a security or business incident?

A: Accountability should sit with a named owner outside the agent itself, usually a security or business leader with authority to approve scope and contain misuse. If the organisation defaults to IT alone, governance becomes operationally vague and incident response slows because no one owns the decision to restrict or stop the agent.

Technical breakdown

Agentic IAM and the access paradox

Agentic IAM extends identity control to AI agents that can act across systems, often with broader scope than traditional service accounts. The access paradox appears when organisations grant agents equal or greater access than humans while still expecting human-style supervision. That creates a mismatch between privilege and oversight, especially in business-critical workflows where agents can trigger downstream actions faster than review processes can respond. In practice, the access decision becomes a governance decision about blast radius, not just enablement.

Practical implication: define agent access tiers by task criticality and enforce narrower scopes for production actions than for testing.

Human-in-the-loop approvals and supervision collapse at scale

Human-in-the-loop approval is a useful control in pilot environments, but it loses effectiveness when agents are deployed broadly and asked to operate continuously. The report shows approvals falling from 48% in testing to 29% in key business deployments, with 24% of organisations allowing high-risk actions without human supervision. That pattern matters because approval gates are only meaningful if they are consistently applied, logged, and enforced before the action completes. Once supervision thins out, the control becomes ceremonial rather than preventive.

Practical implication: restrict unsupervised agent actions to low-risk use cases and require pre-authorised approval paths for high-impact steps.

Identity explosion and the kill switch problem

When organisations manage more non-human identities than human employees, manual governance no longer scales. The identity explosion cited in the report means agents, tokens, and workload identities are multiplying inside the same access environment, but many teams still lack a single control point to disable them quickly. A centralized kill switch is not just an incident-response feature. It is the operational proof that the organisation can revoke trust across systems when an agent misbehaves, changes scope, or becomes compromised.

Practical implication: build one revocation path that can cut agent access across apps, APIs, and infrastructure without waiting for system-by-system remediation.

Threat narrative

Attacker objective: The objective is to exploit over-privileged, under-governed agents to reach sensitive systems and execute actions that the organisation cannot quickly contain or attribute.

1. Entry occurs when AI agents are placed into production with access equal to or greater than human employees, giving them legitimate starting privileges across business systems.
2. Escalation happens as supervision weakens, with high-risk actions allowed without human oversight and accountability spread unevenly across IT and business teams.
3. Impact follows when organisations cannot rapidly cut access or contain agent behaviour, allowing sensitive workflows, data exposure, and unauthorised actions to continue at scale.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent governance is now an access paradox, not a tooling gap: the report shows organisations are granting agents equal or greater access than human employees while supervision declines in production. That combination means the control problem is no longer just provisioning. It is whether the enterprise can justify broad machine access without equivalent accountability. Practitioners should treat agent privilege as a blast-radius decision, not an automation convenience.

Standing oversight assumptions are collapsing in production deployments: human-in-the-loop review was designed for bounded, reviewable work. Once agents are moved into financial reporting and HR provisioning, the approval model becomes too slow and too inconsistent to be the primary safeguard. The implication is that governance programmes must stop assuming human-paced review can remain the main control for machine-paced execution.

Identity explosion is creating a first-class governance workload that human IAM models cannot absorb: when 53% of organisations manage more non-human identities than human employees, the administrative model itself changes. Manual recertification, fragmented ownership, and IT-only accountability leave too much unresolved trust in circulation. Practitioners need to recognise agent identities as a permanent governance class, not a side effect of automation.

Zero standing privilege for agents is becoming a category requirement: if 55% of organisations lack a centralized kill switch, they do not have a credible emergency containment model for agent behaviour. The field is moving toward a point where rapid revocation, scope control, and attributable ownership are baseline expectations for production agents. Teams that cannot revoke agent access across systems should assume their governance maturity is still pre-production.

Runtime governance gap: the central failure mode is not that AI agents exist, but that organisations are trying to govern runtime behaviour with identity assumptions built for static access. That assumption breaks when access changes dynamically through agent execution paths, not at provisioning time. Practitioners should rethink whether their identity model can still describe who did what, when the actor can act continuously inside a session.

From our research:

• 92% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• 23.7% of organisations share secrets through insecure methods such as email or messaging applications.
• For the governance baseline behind this problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the access lifecycle controls that production agents now force into scope.

What this signals

Runtime governance gap: AI agent deployments are exposing a structural mismatch between business acceleration and identity programme design. With 72% of organisations already running agents in production and 66% granting them equal or greater access than human employees, teams should expect more pressure on access review, emergency revocation, and accountability mapping than traditional IAM processes were built to absorb.

The programme signal is clear: production agents cannot be managed as an extension of human identity controls. IAM, PAM, and lifecycle teams need one model for ownership, one model for approval, and one model for termination that spans apps, APIs, and infrastructure, or the control plane will remain fragmented.

For teams building the next layer of policy, this is the moment to connect agent governance to broader identity standards such as the NIST AI Risk Management Framework and the OWASP Top 10 for Agentic Applications 2026. Those frameworks help translate agent behaviour into governable risk, but the operating model still has to be enforced inside identity and access controls.

For practitioners

• Separate testing controls from production controls Require stricter approval, scope, and logging requirements once an agent moves from sandbox use into financial, HR, or other business-critical workflows. Testing patterns should not auto-qualify for production access.
• Assign a single accountable owner for each agent Map every production agent to one named security or business owner who can approve access, review behaviour, and accept remediation responsibility. Do not leave accountability diffuse across IT alone.
• Implement a centralized revocation path Build one control that can disable agent credentials, API tokens, and downstream access across systems without relying on separate manual steps in each platform.
• Limit unsupervised high-risk actions Reserve zero-supervision execution only for low-impact tasks and require explicit human approval before any agent can change records, move funds, or touch sensitive data.

Key takeaways

• AI agents are moving into production faster than identity governance is adapting, which turns access design into the primary control problem.
• The scale is already visible in the data, with most organisations reporting limited ability to govern agents safely and many granting them more access than human employees.
• The practical response is to tighten ownership, supervision, and revocation so agent identity can be controlled at runtime, not just provisioned on paper.

Key terms

• Agentic IAM: Agentic IAM is the governance model for controlling AI agents as identities that can access systems, take actions, and create risk on their own. It combines identity, access, ownership, approval, and revocation so agent behaviour stays attributable and bounded in production.
• Human-in-the-loop approval: Human-in-the-loop approval is a control where a person must review or authorise an agent action before it completes. It works best for bounded tasks, but it loses value when agents operate quickly, repeatedly, or across multiple systems without enough time for meaningful intervention.
• Centralized kill switch: A centralized kill switch is a single revocation mechanism that can cut off an agent's access across systems, APIs, and downstream dependencies. It matters because production agents often hold many credentials or pathways at once, and manual disablement across separate tools is too slow to be reliable.
• Identity explosion: Identity explosion is the rapid growth in non-human identities, tokens, and service credentials beyond the scale of human accounts. It creates governance strain because ownership, review, and revocation become harder to track manually, especially when machines outnumber people in the environment.

Deepen your knowledge

AI agent governance and non-human identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is moving from pilot to production with agents, it is worth exploring.

This post draws on content published by JumpCloud: The Agentic IAM Pulse Report: Closing the Governance Gap to Accelerate with AI. Read the original.