Identity and data security dependency will shape 2026 to 2029

At a glance

What this is: Netwrix’s forecast argues that identity security and data security are becoming operationally inseparable as automation and agentic AI reshape access paths.

Why it matters: For IAM and NHI teams, the implication is that identity governance can no longer be evaluated apart from data access, policy enforcement, and continuous validation.

👉 Read Netwrix’s forecast on identity and data security dependency through 2029

Context

Identity security is no longer just about proving who can log in or which workload can authenticate. In this forecast, the core problem is the growing dependency between identity decisions and data exposure, especially as workflow automation and agentic AI begin to mediate access at scale.

That matters for IAM, NHI, and data governance programmes because the control plane is converging. If identity orchestration, federation trust, or misconfigured automation is wrong, the downstream effect is not only access failure but exposure of sensitive data that should have remained constrained.

Key questions

Q: How should security teams govern AI agents that access sensitive data?

A: Security teams should govern AI agents as live identity subjects with changing authority, not as fixed integrations. That means tying each agent to a defined business purpose, constraining the data sets it can reach, and rechecking access when context changes. The key is continuous validation of identity, authority, and data scope during execution, not just at provisioning.

Q: Why do identity automation failures become data security incidents?

A: Identity automation failures become data security incidents because automated provisioning, token handling, and privilege decisions directly determine who can reach sensitive data. When a workflow is misconfigured, the error scales across systems faster than manual review can intervene. In practice, the same misstep that looks like an IAM defect can create immediate exposure in data stores.

Q: When should organisations move from periodic review to continuous control evidence?

A: Organisations should move to continuous control evidence when access is mediated by automation, cloud integrations, or AI-driven workflows. At that point, a quarterly review is too slow to prove that authority remained appropriate while the system was acting. Continuous evidence matters whenever identity decisions can change faster than certification cycles can observe them.

Q: Who is accountable when an AI vendor can no longer operate or is acquired?

A: Accountability belongs to the enterprise that relied on the service, because it still owns the data, the identities, and the business continuity risk. Teams should know where prompts, outputs, and related access records live, who can revoke authority, and how to recover them if the provider changes hands or exits. Without that clarity, governance disappears with the vendor.

Technical breakdown

Identity automation and data exposure paths

When provisioning, token validation, and privilege management are automated, identity stops being a static access checkpoint and becomes a live decision system. That shifts risk from isolated credential abuse to orchestration failure, where one bad policy or misconfigured workflow can expand access across multiple data stores. The operational problem is that identity context now determines data reach in real time, so data exposure follows identity drift faster than manual review cycles can detect. Practical implication: treat automated identity workflows as part of the data access control plane, not just IAM plumbing.

Practical implication: treat automated identity workflows as part of the data access control plane, not just IAM plumbing.

Agentic AI identity and continuous authorisation

Agentic AI changes the problem because the identity is no longer only authenticating a person or workload, it is carrying out tasks on behalf of others across systems. That means access scope, authority boundaries, and data sensitivity can change mid-workflow, while the same agent identity remains active. Static permission design breaks down when the actor can keep moving, selecting actions across connected systems without a fresh governance checkpoint. Practical implication: validate agent identity, authority, and data scope continuously across the full workflow path.

Practical implication: validate agent identity, authority, and data scope continuously across the full workflow path.

Continuous validation is replacing questionnaire-based assurance

The forecast’s insurance angle is really a governance signal. Security assurance is moving away from periodic attestation toward telemetry that shows how identities access sensitive data in real time. That raises the bar for evidence, because organisations must demonstrate live control alignment rather than claim compliance at a point in time. For identity teams, this means visibility and auditability are becoming external risk signals, not just internal metrics. Practical implication: build evidence streams that prove identity and data controls are operating continuously, not periodically.

Practical implication: build evidence streams that prove identity and data controls are operating continuously, not periodically.

NHI Mgmt Group analysis

Identity and data security are converging into one control problem. The forecast is directionally right because access orchestration now determines both identity assurance and data exposure at the same time. That means the old split between IAM ownership and data security ownership is becoming operationally false. Practitioners should treat misconfigured automation as a data-risk issue, not a back-office IAM defect.

Continuous validation is replacing trust in static access design. Periodic reviews do not match a world where access is mediated by workflows, integrations, and AI agents that act continuously. The field is moving toward proof that identity context and data access remain aligned during execution, not just at provisioning. Practitioners should expect governance evidence to become runtime evidence.

Agentic AI turns identity into a moving authority boundary. Once an AI system can operate across multiple systems on behalf of users or teams, the governance question is no longer whether it authenticated correctly. It is whether its authority remained appropriate as conditions changed. Practitioners should redesign controls around task scope, context drift, and policy revalidation.

Data ownership without identity ownership will fail under AI vendor churn. The forecast’s warning about provider instability reflects a broader control gap in emerging AI programmes: enterprises often cannot answer who can act on the data, who owns the identities involved, or how control survives provider change. That is a lifecycle and accountability problem, not only a storage problem. Practitioners should map identity, data, and exit responsibility together before dependency hardens.

Identity governance for AI systems now needs a named concept: runtime governance gap. The runtime governance gap is the distance between a policy that looks correct on paper and the actual identity and data decisions made while automation is executing. As AI-driven workflows become continuous, that gap becomes the dominant failure mode. Practitioners should assume design-time controls will miss runtime drift unless they are explicitly instrumented.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For lifecycle and offboarding controls, see Ultimate Guide to NHIs for the visibility and rotation gaps that make continuous validation necessary.

What this signals

Runtime governance will become the practical test for identity programmes. As more access is mediated by automation, the programme question is no longer whether policies exist but whether control evidence exists while the workflow is running. That shift favours teams that can prove behaviour, not just intent, and it will expose identity programmes that still rely on periodic review artefacts.

The data-security dependency also widens the blast radius of every identity exception. If an AI-driven workflow, token, or service identity can reach sensitive data without a fresh authority check, the resulting exposure will look like a governance failure long before it looks like a breach. Teams that can trace identity context into data access will have a clearer risk picture than teams that treat IAM and data protection separately.

For practitioners

• Map identity-to-data dependency chains Document which identities, service accounts, tokens, and AI agents can reach which sensitive data sets, then trace the exact workflows that create that reach. Use the mapping to expose hidden orchestration paths and remove implicit trust between systems.
• Instrument continuous validation points Place verification checks at token issuance, workflow handoff, privilege change, and data-access events so authority is rechecked as conditions change. This gives auditors and defenders evidence that access remained appropriate during execution.
• Separate ownership for AI access and data custody Assign explicit accountability for the identities AI systems use, the data they touch, and the exit process if a provider changes, is acquired, or fails. Without that separation, business continuity and governance collapse together.
• Reduce reliance on static questionnaires Replace point-in-time assurance with telemetry that proves real-time identity behaviour, data access, and policy enforcement. That evidence should be available to security, audit, and risk teams in the same reporting cycle.

Key takeaways

• Identity automation is becoming a data security issue because workflow decisions now determine sensitive-data reach in real time.
• Agentic AI makes authority a moving target, which means static permission models and periodic reviews will miss the moment risk changes.
• Practitioners need continuous evidence, clear ownership, and explicit exit planning if they want identity and data governance to survive AI-driven dependency.

Key terms

• Identity Orchestration: Identity orchestration is the automated coordination of provisioning, authentication, token handling, and privilege decisions across systems. It matters because a failure in the orchestration layer can create exposure everywhere the workflow touches, not just in one application or directory.
• Runtime Governance Gap: The runtime governance gap is the distance between a policy that looks correct in design and the actual identity and data decisions made while automation is executing. In AI and workflow-heavy environments, that gap often appears because control evidence is not generated at the point of action.
• Agentic AI Identity: Agentic AI identity is the identity assigned to an AI system that can act on behalf of a person or team across multiple tools and data sources. It needs governance because the authority can change during execution, making static access assumptions too weak for safe operation.
• Continuous Validation: Continuous validation is the practice of rechecking identity, authority, and access context as a system operates. For autonomous or automated workflows, it replaces point-in-time trust with live evidence that permissions still match the task and the data sensitivity involved.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Netwrix: Netwrix Security Research Lab Forecasts 2026 to 2029 on the rise of identity and data security dependency. Read the original.