TL;DR: Large-scale agentic AI adoption is pushing identity infrastructure into a control-plane role for both human and non-human identities, according to Curity, which also named Monica Enand as Chair of the Board. The market signal is clear: identity programmes now need to govern autonomous systems and NHI scale at the same time, not as separate problems.
At a glance
What this is: Curity says agentic AI is reshaping the identity market and named Monica Enand as Chair of the Board as it positions for growth.
Why it matters: This matters because identity teams are being asked to secure human, NHI, and autonomous access patterns with the same governance model, which exposes gaps in lifecycle, privilege, and control-plane design.
👉 Read Curity's analysis of identity as the control plane for agentic AI
Context
The core issue is not a board appointment on its own. The issue is that identity infrastructure is being recast as the control plane for agentic AI, where human and non-human identities must be governed at enterprise scale. That changes the operating assumptions for IAM, PAM, and NHI programmes because the identity layer is now expected to mediate both people and autonomous systems.
Curity frames the market around scale, rollout, and platform governance rather than a single product feature. For practitioners, that means the strategic question is no longer whether identity is part of AI security, but how identity architecture absorbs autonomous execution without losing visibility, accountability, or access discipline.
Key questions
Q: How should security teams govern agentic AI through identity controls?
A: Security teams should govern agentic AI as a runtime identity problem, not only an authentication problem. That means defining ownership, scope, telemetry, and approval boundaries for every tool-calling actor, then testing whether IAM and PAM controls can still explain who acted, with what privilege, and under which policy. If they cannot, the governance model is incomplete.
Q: Why do human and non-human identity programmes need to converge?
A: They converge because the same enterprise systems now host people, service accounts, API keys, certificates, and AI-driven executors in one access fabric. Separate governance models create blind spots in ownership, lifecycle control, and review coverage. A shared governance model does not erase actor differences, but it does make access discipline consistent across the estate.
Q: What breaks when identity is treated as a login layer only?
A: When identity is treated as a login layer only, teams miss the fact that many high-risk decisions happen after authentication, inside delegated workflows and tool chains. That leaves privilege use, session behaviour, and agent action paths outside the governance model. The result is weak accountability and poor visibility into how access is actually consumed.
Q: How do organisations know if identity architecture is ready for AI-driven access?
A: They know it is ready when it can govern both static entitlements and dynamic execution without losing traceability. Look for clear ownership, policy enforcement at runtime, and evidence that certification, offboarding, and escalation paths still work when the actor is an autonomous system rather than a person.
Technical breakdown
Why agentic AI turns identity into a control plane
Agentic AI changes identity architecture because access decisions are no longer limited to people authenticating to applications. Autonomous systems can initiate action, call tools, and chain operations across services, which makes identity the enforcement point for execution as well as login. That pushes IAM, PAM, and NHI controls into a shared operating model. The practical question is whether the identity layer can still express intent, scope, and accountability when the actor is not human and may not wait for approval cycles.
Practical implication: Practitioners should map where identity becomes the runtime control plane for tool use, delegation, and privilege enforcement.
How human and non-human identities converge in the same governance stack
As organisations scale both human and non-human identities, the separation between workforce IAM and NHI governance becomes harder to sustain. Service accounts, API keys, certificates, and AI agents all introduce machine-mediated access paths that can outnumber human accounts and expand faster than manual review processes. The governance problem is not merely inventory. It is that the same lifecycle questions, such as ownership, rotation, offboarding, and recertification, now apply across different actor types with different behaviour patterns.
Practical implication: Practitioners should align governance rules across humans and NHIs instead of running disconnected review processes.
Board-level leadership matters when identity becomes market infrastructure
The board appointment is a signal that identity vendors are treating scale, market expansion, and operating discipline as strategic concerns rather than pure product concerns. For security leaders, that matters because platform direction often follows the assumption that identity will anchor broader security architecture for AI, cloud, and delegated access. That is not a substitute for technical governance, but it does show where investment and roadmap pressure are moving.
Practical implication: Practitioners should expect identity vendors to position more strongly around AI-era control-plane use cases and evaluate those claims against their own governance requirements.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity is becoming the control plane for agentic systems, not just the login layer. Curity’s framing reflects a broader shift in the market: autonomous and semi-autonomous systems now depend on identity decisions throughout execution, not only at authentication time. That creates pressure on governance models built around static entitlements and human-paced approval. Practitioners should treat identity as a runtime enforcement layer, not a perimeter service.
Curity’s message confirms that NHI governance and agentic AI governance are converging operationally. Service accounts, API keys, certificates, and AI-driven actors now sit in the same access fabric, even if their behaviour differs. The important point is not taxonomy, but that lifecycle, privilege, and delegation controls must work across machine identities and autonomous execution paths. Teams that keep these domains separate will miss the shared failure modes.
Access review processes were designed for actors whose privilege persists long enough to be observed. That assumption fails when the actor is autonomous because it can acquire, use, and discard access within a single runtime session. The implication is not simply to add more reviews. It is that review cadence, evidence collection, and certification models stop matching the behaviour they are supposed to govern.
Named concept: identity control plane expansion. This is the moment when identity stops being a supporting control and becomes the coordinating layer for AI, cloud, and delegated access decisions. That expansion increases the strategic value of identity architecture, but it also raises the bar for visibility, ownership, and policy coherence. Practitioners should judge platform direction by whether it can govern execution, not just authenticate users.
Board and operating leadership are now part of the identity governance conversation. When vendors position identity as infrastructure for the agentic world, they are signalling that the category is moving toward broader platform consolidation and more enterprise-scale governance demands. Security teams should anticipate that procurement and architecture choices will increasingly be evaluated on cross-domain coverage, not isolated NHI features.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For a deeper governance lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that must keep pace with machine-scale identity.
What this signals
Identity programmes should expect AI-era governance to collapse old category boundaries. Once identity is the control plane for both humans and autonomous systems, the practical challenge becomes evidence quality, ownership, and runtime policy enforcement rather than account counts alone. With NHIs outnumbering human identities by 25x to 50x in modern enterprises, even mature IAM teams will need to rethink how they segment operational responsibility.
Identity control plane expansion is the right lens for planning. It describes the point at which IAM stops being a back-office service and becomes the governing layer for AI execution, delegated access, and machine identity lifecycle. That shift should prompt architecture reviews that connect identity, privilege, and telemetry into one operating model, supported by guidance such as the NIST AI Risk Management Framework.
Board changes and market positioning may seem peripheral, but they often foreshadow where vendor roadmaps will converge. Security leaders should watch for more platform claims around autonomous access, identity policy, and cross-domain control, then test those claims against their own need for accountability across human and non-human actors.
For practitioners
- Re-map identity governance around runtime control Identify where your IAM, PAM, and NHI controls are still designed only for authentication events. Trace where autonomous systems, service accounts, and delegated workflows actually make decisions, call tools, and consume privileges in production.
- Unify lifecycle ownership across identity types Assign a clear owner for each human account, service account, credential, and AI-driven executor. Use the same governance discipline for joiner, mover, leaver, rotation, and offboarding processes, even when the underlying actor behaves differently.
- Test certification processes against fast-moving access Review whether your access review and recertification cadence can produce meaningful evidence for identities that operate for minutes or sessions rather than weeks. If not, classify the gap as a governance mismatch, not a tooling issue.
- Evaluate identity platforms for control-plane fit Assess whether current identity architecture can govern authorization, delegation, and privileged execution across both human and non-human actors. Focus on policy expression, telemetry, and accountability rather than brand claims.
Key takeaways
- Agentic AI is pushing identity into a control-plane role where authentication, authorization, and execution governance are increasingly inseparable.
- Human and non-human identity governance are converging operationally, which makes ownership, lifecycle, and privilege discipline a shared requirement rather than separate workstreams.
- Security teams should judge identity platforms by their ability to govern runtime behaviour and accountability, not by login coverage alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-04 | Agent autonomy and tool use are central to the article's identity control-plane theme. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The post centres on machine identity scale, privilege, and lifecycle governance. |
| NIST AI RMF | AI governance and accountability are part of the article's market signal. |
Map service accounts and credentials to NHI-03 controls for rotation and lifecycle discipline.
Key terms
- Identity control plane: The identity control plane is the layer where access decisions, delegation, and accountability are enforced across systems. In agentic environments, it extends beyond login to govern runtime actions, tool use, and privilege consumption. That makes identity a core operating control, not just a directory service.
- Agentic AI: Agentic AI is software that can decide what to do next, choose tools, and act at runtime with limited or no human intervention. In identity terms, it creates a governance challenge because access is no longer only requested by people. The actor itself can initiate action paths and consume privilege independently.
- Non-human identity: A non-human identity is any machine or software identity used by systems instead of people, including service accounts, API keys, tokens, certificates, bots, and AI agents. These identities still need ownership, lifecycle control, and least privilege, but their behaviour often changes faster than manual governance processes can track.
Deepen your knowledge
Agentic AI governance and identity control-plane design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reworking IAM for autonomous systems and machine identities, it is worth exploring.
This post draws on content published by Curity: identity market change and the appointment of Monica Enand as Chair of the Board. Read the original.
Published by the NHIMG editorial team on 2026-03-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
