AI agent inventory gaps are widening enterprise risk in 2026

At a glance

What this is: Zenity argues that AI agents are already creating a shadow identity layer inside enterprises, and that incomplete inventory is now the primary blocker to governance.

Why it matters: IAM teams must treat agent discovery as an identity control problem because the same gaps now affect NHI, autonomous AI, and lifecycle governance across human-owned and machine-owned access.

By the numbers:

• Zenity data shows Fortune 50 organizations carrying attack surfaces with more than 150,000 resources tied to agents and automations.

👉 Read Zenity's analysis of incomplete AI agent inventory and enterprise risk

Context

AI agent inventory is the list of every agent, automation, token, and connected identity that can reach enterprise systems. The governance problem is not theoretical scarcity of controls, but that many organisations cannot see which agents exist, who owns them, or what they can touch.

That gap matters across NHI, autonomous, and human identity programmes because the first access decision often happens outside formal review. Once an agent is connected through low-code tooling or embedded into SaaS, the credential footprint becomes part of the identity estate whether or not IAM teams were involved.

Key questions

Q: How should security teams inventory AI agents across SaaS, cloud, and low-code platforms?

A: Security teams should inventory AI agents by linking each connected identity to its owner, permissions, data sources, and execution scope across every platform they touch. The goal is not just discovery but accountability, so shadow deployments, stale tokens, and hidden automations can be brought under a single governance model before access sprawl turns into business exposure.

Q: Why do AI agents create more identity risk than ordinary automation?

A: AI agents create more identity risk because they can combine access across multiple systems, invoke APIs, and trigger downstream actions within one session. That makes the credential an execution path rather than a simple login. Governance must therefore focus on reachable business actions, not just whether the agent was approved at deployment time.

Q: What breaks when an AI agent is deployed without formal ownership?

A: When an AI agent has no formal owner, review, offboarding, and incident response all become slower and less reliable. No one is accountable for permission drift, stale credentials, or unexpected behaviour, so the identity can persist long after the original use case has ended. That is a lifecycle failure, not just an administrative oversight.

Q: How can organisations reduce risk from shadow AI agents already inside the enterprise?

A: Organisations should combine continuous scanning, access reduction, and credential revalidation for any agent found outside formal governance. The priority is to move unknown agents into a managed state, then decide whether they are sanctioned, constrained, or removed. That sequence is more effective than waiting for a full platform redesign.

Technical breakdown

AI agent inventory and identity sprawl

Agent inventory is the foundational control plane for understanding which identities exist, where they were created, and what they can access. In practice, each connected agent can create one or more OAuth tokens, API keys, or service-account links, often spread across SaaS platforms, cloud services, and internal workflows. Without a living inventory, teams cannot distinguish sanctioned automation from shadow AI, or know whether a credential is still active after the original project ended.

Practical implication: build a continuously refreshed inventory that ties each agent to an owner, a purpose, and a permission set.

Why broad permissions make agents different from ordinary automation

Ordinary automation is usually bounded and predictable. Agentic systems can traverse multiple services, read data, call APIs, and trigger downstream workflows within a single session, which turns one credential into an execution path rather than a simple login. That changes the identity problem from static access management to runtime governance, because the agent’s behaviour can expand blast radius faster than manual oversight can react.

Practical implication: classify agent permissions by reachable systems and business actions, not by the platform that hosts the agent.

Standing access and forgotten identities

The article’s inventory warning points to a familiar NHI pattern: credentials outlive their intended use. When an agent built for a proof of concept keeps running months later, the issue is not just forgotten software but persistent identity exposure. The control failure is lifecycle drift, where access remains valid long after business ownership, review, or security validation has lapsed.

Practical implication: tie every agent credential to an offboarding trigger and a periodic ownership review, not just to deployment time.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent sprawl is becoming identity sprawl, not just application sprawl. The article describes agents created through low-code platforms, SaaS defaults, and developer toolchains, all of which produce credentials and permissions that sit inside the identity estate. That means the governance problem belongs with IAM and NHI teams, not only AI platform owners. The practitioner conclusion is straightforward: if the inventory is incomplete, the control model is already incomplete.

Discovery is now the highest-value control because visibility determines whether any downstream policy can function. A policy framework cannot govern an agent that is not in the inventory, and ownership cannot be assigned to an identity that is not recorded. This is why discovery, attribution, and continuous classification sit ahead of enforcement in the operating model. Practitioners should treat missing inventory as a governance failure, not a documentation gap.

Privilege creep in agents mirrors long-standing NHI failure modes, but with faster blast-radius expansion. The article notes that agents can traverse systems, invoke APIs, and trigger workflows in one session. That creates identity blast radius, a named concept for the spread of reachable business actions behind a single credential. The implication for practitioners is that permissions now need to be judged by what the agent can do across systems, not by the narrow scope of the initial build request.

Ownership is the governance line that most agent programmes still blur. Zenity’s point about business owners and automated remediation shows that the problem is not whether a tool exists, but whether accountability survives deployment. The same lesson applies across human, NHI, and autonomous programmes: if ownership is not explicit, lifecycle governance decays into unmanaged access. Practitioners should make ownership a required attribute, not a best-effort process.

Agentic AI forces IAM teams to re-evaluate the assumption that access review is enough once access has been granted. Access reviews assume a stable, human-readable identity with a known business owner and a review cadence. Here, the identity may be created by a low-code user, embedded in SaaS, and left running with no effective offboarding path. The practitioner takeaway is that review alone does not restore governance when the original access event was never formally captured.

From our research:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
• Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree this governance is critical to enterprise security, according to the same report.
• That gap is why the OWASP NHI Top 10 remains relevant for teams mapping agent identity controls to runtime risk.

What this signals

Identity blast radius: when a single agent credential can read data, invoke APIs, and trigger workflows, the control objective shifts from access approval to reachable action containment. That is why agent governance must sit inside the identity programme, not beside it, and why the inventory step has to feed remediation directly.

Zenity’s framing aligns with the broader NHI governance pattern documented in the The 52 NHI breaches Report: unmanaged credentials persist, ownership decays, and the resulting access rarely stays bounded. Practitioners should expect agent inventories to uncover the same stale access and over-permissioned identity conditions seen in other NHI estates.

As agent sprawl expands, the reader’s programme will need a stronger link between discovery, entitlement review, and lifecycle closure. Teams that already rely on static access reviews will need to add continuous classification and ownership validation before agent behaviour starts outpacing the review cycle.

For practitioners

• Inventory every connected agent and automation Create a live register of all agents, the systems they can reach, the credentials they use, and the business owner accountable for each one.
• Classify agent permissions by business action Map each agent to the data it can read, the APIs it can invoke, and the workflows it can trigger so that scope is measured in outcomes, not just entitlements.
• Attach lifecycle triggers to agent credentials Require offboarding, review, and revalidation triggers for every agent secret or token so credentials do not survive project abandonment or ownership change.
• Separate sanctioned agents from shadow deployments Use continuous scanning to identify agents created outside formal review and route them into a distinct remediation path with ownership assignment and access reduction.

Key takeaways

• AI agent sprawl is an identity governance problem because every connected agent creates credentials, permissions, and ownership questions that existing inventories often miss.
• The evidence points to material scale, with Fortune 50 environments already carrying more than 150,000 agent-tied resources and many agents built outside professional development controls.
• The control that matters first is discovery, followed by accountability and lifecycle closure, because no governance model can manage what it has not identified.

Key terms

• Agent inventory: A complete, continuously updated record of every AI agent, automation, token, and connected identity in the environment. For agentic programmes, inventory is not bookkeeping. It is the control that makes ownership, scope review, and lifecycle governance possible.
• Identity blast radius: The total spread of systems, data, and workflows reachable through one identity or credential. For AI agents, blast radius can expand quickly because a single session may cross applications, call APIs, and trigger downstream business actions before a human can intervene.
• Shadow AI: AI agents or automations operating without formal IT, security, or governance review. The risk is not only unknown software, but unknown identity exposure, because hidden agents often bring their own credentials, permissions, and untracked data access.
• Lifecycle closure: The point at which an identity is intentionally reviewed, offboarded, or revalidated so its access no longer persists by default. In agent governance, lifecycle closure matters because abandoned agents and stale tokens can continue to act long after the original purpose has ended.

Deepen your knowledge

AI agent inventory and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for shadow agents and unmanaged credentials, it is a practical place to start.

This post draws on content published by Zenity: Your AI Agent Inventory Is Incomplete. Here's What That Means for Risk. Read the original.