AI agents are forcing application access governance to expand in 2026

At a glance

What this is: This is Delinea’s 2026 application access governance outlook, arguing that AI agents in business applications must be governed as identities with least privilege, oversight, and lifecycle controls.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes now have to cover machine actors inside business apps without losing control of reviews, entitlement scope, and accountability.

By the numbers:

• Today, non-human identities (NHIs) account for about 60% of identities in a typical organization.
• In 2025, the Association of Certified Fraud Examiners’ global survey reported that organisations lost 5% of annual revenue to fraud.
• In 2025, credential theft remained the most common attack vector in the annual Verizon Data Breach Investigation Report.

👉 Read Delinea's application access governance predictions for AI agents in 2026

Context

Application access governance is the discipline of deciding who or what can use business application functions, data, and workflows. In 2026, the problem is no longer limited to human users because AI agents are being embedded directly into applications and are starting to act on behalf of users at runtime. That shifts the primary identity question from access approval to ongoing control of machine-driven actions.

The governance gap is that many enterprises still depend on manual access reviews, siloed application ownership, and broad default permissions. When agents operate inside ERP, CRM, or HCM systems, those older operating assumptions break down quickly. The core issue is not whether the application has AI features, but whether the organisation can govern the agent as an identity with defined scope, oversight, and revocation paths.

Key questions

Q: How should security teams govern AI agents inside business applications?

A: Security teams should govern AI agents as identities with explicit scope, constrained permissions, and accountable ownership. The control model should cover provisioning, access review, monitoring, and revocation across the business applications where the agent acts. If the agent can take actions on behalf of users, it needs the same governance discipline as any other privileged identity.

Q: Why do AI agents create problems for application access reviews?

A: AI agents create problems because access reviews assume a stable entitlement set that can be certified periodically. Agents can operate continuously, inherit broad workflow scope, and change what they do faster than a human reviewer can validate. That makes manual certification too slow to reflect actual risk, especially inside ERP, CRM, and HCM systems.

Q: What breaks when business applications give AI agents elevated access by default?

A: What breaks is the organisation’s ability to tie authority to task. Elevated default access widens the blast radius of any agent error, misuse, or compromised workflow and makes least privilege difficult to defend. The result is stronger operational convenience but weaker containment, especially when the same agent can touch sensitive data and business processes.

Q: Who should be accountable when an AI agent misuses application access?

A: Accountability should sit with the business and identity owners who approve the agent’s scope, not with the agent itself. The organisation needs a named human owner, clear escalation paths, and revocation authority so that autonomous or semi-autonomous actions can be reviewed and contained. Without that, governance becomes nominal rather than enforceable.

Technical breakdown

AI agents as governed identities in business applications

When an AI agent is embedded in a business application, it is no longer just a feature layer. It becomes an acting identity that can read data, trigger workflows, and sometimes take actions that a human user would normally initiate. That means application access governance has to evaluate permissions, entitlements, and workflow scope for the agent itself. Treating the agent as a user is the practical model because it allows least privilege, segregation of duties, and review processes to apply to the actual actor, not just the human who requested deployment. Practical implication: map each agent to a named business function, then constrain its access to that function only.

Practical implication: Map each agent to a named business function, then constrain its access to that function only.

Why manual access reviews fail for agentic access

Manual SoD analysis and periodic access reviews were already under strain for human identities, and they degrade further when agents operate continuously across many applications. A human reviewer can inspect a fixed entitlement set, but an agent may inherit workflow scope, elevate through application roles, or change the actions it performs as business logic evolves. This creates review lag, where access is assessed after the relevant action has already happened. In application access governance, that delay is a structural problem, not just an efficiency issue. Practical implication: automate entitlement discovery and review evidence collection across application-native consoles, identity providers, and security tooling.

Practical implication: Automate entitlement discovery and review evidence collection across application-native consoles, identity providers, and security tooling.

Modernizing controls across ERP, CRM, and HCM systems

Business applications are often owned by different departments, which is why access governance is fragmented across ERP, CRM, and HCM environments. That fragmentation matters because the same identity can accumulate different permissions in each system, and AI agents may operate across those boundaries faster than governance teams can reconcile them. The control model therefore has to connect provisioning, review, and monitoring across the application stack, not just inside a single console. Zero trust and least privilege only hold if access is continuously scoped to task and role. Practical implication: unify access visibility across departmental application owners and enforce consistent lifecycle controls for every identity type.

Practical implication: Unify access visibility across departmental application owners and enforce consistent lifecycle controls for every identity type.

NHI Mgmt Group analysis

AI agents in business applications are now identity subjects, not feature flags. Once an agent can read records, trigger workflows, and act on behalf of a user, the governance model has to treat it like an identity with scope, privilege, and accountability. That changes how IGA, PAM, and application controls are evaluated because the real question becomes who or what is executing business logic. Practitioners should stop classifying these controls as application enhancements and start classifying them as identity governance.

Access review processes assume access is stable long enough to be reviewed. That assumption was designed for human-paced entitlement changes and periodic certification cycles. It fails when agents operate continuously inside business applications because their effective privilege can be created, used, and changed inside the same operating window. The implication is that governance programmes must rethink review cadence, evidence collection, and control ownership for identities that act at runtime.

Application access governance is becoming the bridge between human IAM and NHI governance. Delinea’s scenario shows why departmental application ownership can no longer sit apart from enterprise identity controls. Business applications now host human users, service-like automations, and AI agents in the same control surface, which makes siloed oversight increasingly fragile. The practical conclusion is that identity governance has to follow the actor, not the application boundary.

Least privilege for AI agents is a scope problem before it is a permissions problem. Many organisations will focus first on whether an agent can do a task, but the deeper issue is how much of the workflow it can see and influence. If the scope is broad, the permissions will be broad as well, even if the policy language looks restrained. Practitioners should therefore judge agent security by the narrowness of workflow scope and the quality of human oversight, not by feature labels.

Identity blast radius: the combined impact of broad entitlements, fragmented ownership, and weak lifecycle control is now visible inside business applications. That blast radius spans fraud, compliance failure, and operational misuse when the same identity can move through multiple enterprise systems with inconsistent governance. The field should read this as a signal that access governance is no longer a back-office certification exercise. It is part of enterprise risk containment.

From our research:

• Today, non-human identities (NHIs) account for about 60% of identities in a typical organization, according to Ultimate Guide to NHIs , 2025 Outlook and Predictions.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap shows why application access governance must now extend beyond human users and into agents, workloads, and other machine identities, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity blast radius: as AI agents move into business applications, the practical governance problem becomes how far one identity can reach across systems before review or offboarding can intervene. The control gap is not just visibility, but the ability to keep scope narrow enough that a single agent cannot turn application convenience into enterprise-wide exposure. Teams should treat application access governance as a containment discipline, not a documentation exercise.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security, the same visibility problem is likely to intensify when AI agents and application integrations share the same access plane. That makes entitlement inventory, owner assignment, and revocation path testing the minimum viable control set for 2026.

Application access governance will increasingly sit at the intersection of IGA, PAM, and NHI lifecycle management. If organisations cannot align provisioning, access review, and offboarding across department-owned business applications, they will keep discovering agent risk only after the action has already occurred. The next maturity step is not more policy text, but tighter control of where identity authority begins and ends.

For practitioners

• Inventory agent identities inside business applications Build a single inventory that pulls from application-native consoles, identity providers, and security tooling so you can see where agents exist and what they can do.
• Review agent entitlements like privileged human access Assess permissions, workflow scope, and delegated actions for each agent the same way you would review a privileged role, then remove access that is not tied to a named business function.
• Automate evidence collection for access reviews Replace manual certification where possible by collecting entitlement, usage, and approval evidence continuously across ERP, CRM, and HCM systems.
• Link application owners to enterprise identity governance Require departmental application owners to use common identity governance standards for provisioning, SoD, and offboarding so agent access does not fragment by business unit.
• Keep humans accountable for autonomous actions For agents that can make decisions autonomously, define a human owner for approval, review, and incident escalation before the agent is allowed into production workflows.

Key takeaways

• AI agents embedded in business applications should be governed as identities because they can execute real workflow actions, not just assist users.
• Manual access review processes are too slow for continuously acting agents, which means the governance gap is now operational rather than theoretical.
• Enterprises need unified visibility across application owners, identity providers, and security tooling if they want least privilege to hold inside ERP, CRM, and HCM systems.

Key terms

• Application Access Governance: Application Access Governance is the discipline of controlling who or what can use business application functions, data, and workflows. It combines provisioning, access review, segregation of duties, and monitoring so access remains aligned to business purpose across the lifecycle.
• AI Agent: An AI agent is a software entity that can choose actions and execute tasks on behalf of a user or system. In governance terms, it must be treated as an acting identity when it can access data, trigger workflows, or make decisions inside business applications.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if it is over-permissioned, misused, or compromised. For AI agents and NHIs, the term describes how quickly access can spread across applications, workflows, and sensitive data when scope controls are weak.
• Segregation of Duties: Segregation of Duties is an access control principle that prevents a single identity from holding incompatible permissions in the same process. In application governance, it helps reduce fraud and misuse by separating approval, execution, and reconciliation tasks across identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: 2026 Application Access Governance predictions, securing AI agents and modernizing controls. Read the original.