Identity governance is failing under AI and NHI sprawl

At a glance

What this is: This is Omada Identity’s analyst-report hub for identity governance research, with the central finding that IGA is being reshaped by executive blind spots, NHI sprawl, and agentic AI.

Why it matters: It matters because IAM teams now have to govern humans, machine identities, and autonomous actors through the same lifecycle controls without assuming those populations behave the same way.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Omada Identity's analyst research hub on identity governance and AI risk

Context

Identity governance is the discipline that decides who or what should have access, for how long, and under what review process. Omada Identity’s research roundup points to a programme-level problem: IGA is no longer dealing only with workforce access, but with machine identities and agentic systems that can outgrow human-centric review models.

The article’s core message is that the execution gap in identity governance is widening faster than most programmes can absorb. That gap shows up in blind spots at the executive level, weak control over non-human identities, and governance assumptions that break once AI systems begin acting with more independence than traditional automation.

For teams that need a broader identity baseline, the governance question sits alongside lifecycle, visibility, and privileged access management. The operational model still has to account for service accounts, APIs, secrets, and delegated access, even as AI-driven workflows start to blur the line between access request, decision, and action.

Key questions

Q: How should security teams govern non-human identities across cloud and SaaS systems?

A: Start with inventory, ownership, and lifecycle control. Security teams should know where each service account, token, certificate, and workload identity exists, who owns it, what it can access, and how it is revoked. Without that baseline, recertification becomes guesswork and excessive privilege persists unnoticed across environments.

Q: Why do identity governance programmes struggle when AI systems become more autonomous?

A: Because many governance processes assume access can be reviewed after the fact. Autonomous systems can decide, select tools, and execute within a single session, which collapses the window for traditional review, certification, and manual approval. The issue is timing, not just privilege volume.

Q: What breaks when service accounts are not fully visible or owned?

A: Offboarding and access certification break first. If teams cannot reliably discover a service account, determine who owns it, or confirm whether it is still needed, the organisation keeps dormant access alive and cannot prove that revocation happened when the business need ended.

Q: Who is accountable when AI or machine identities are over-privileged?

A: Accountability sits with the teams that provisioned, approved, and operated the identity, but governance ownership must be explicit. If a machine identity or AI system can act beyond its intended scope, the organisation needs a named control owner, a revocation path, and evidence that access was reviewed against actual use.

Technical breakdown

Identity governance execution gaps in modern IGA programmes

Identity governance and administration does not fail because the control set is unknown. It fails when entitlement data, ownership, and recertification workflows do not match the pace and shape of the identities being governed. In practice, that creates a backlog of access that is technically granted, operationally stale, and politically hard to remove. When organisations add cloud platforms, SaaS, and non-human identities, the review model becomes harder because the subject of the review is no longer only a person with a manager and a job title.

Practical implication: map every identity type to a review and offboarding path, then test whether the process still works when the subject is a service account or agent.

Non-human identity sprawl and access review blind spots

Non-human identities include service accounts, API keys, tokens, certificates, and workload identities. Their governance problem is not just quantity, but invisibility and persistence. Many programmes can enumerate human users, yet still struggle to find where machine credentials live, who owns them, and whether they still need the access they have. Once those identities are embedded in pipelines, cloud workloads, or vendor connections, the organisation can lose lifecycle control even while the credential remains active.

Practical implication: build authoritative inventory and ownership controls for machine identities before trying to optimise certification frequency.

Agentic AI and the limits of human-paced governance

Agentic AI changes identity governance because the actor can make runtime decisions, select tools, and execute without waiting for a human approval loop. That is a different operating model from scheduled automation or pre-baked workflows. Traditional IGA assumes access can be reviewed after use, but autonomous behaviour can compress access, action, and impact into one session. That means governance is no longer just about authorisation at the front door, but about whether the programme can still observe and contain identity behaviour while it is happening.

Practical implication: assess whether your current identity controls can distinguish approved delegation from independent runtime action before expanding AI system privileges.

NHI Mgmt Group analysis

Identity governance execution failure is now a structural issue, not a tooling issue. Omada Identity’s research roundup points to a market where IGA programmes are being stretched by disconnected ownership, blind spots in executive oversight, and identities that no longer fit human review rhythms. The result is not simply more work for governance teams, but a mismatch between the control model and the identities it claims to govern. Practitioners should treat execution as the primary problem, not dashboard coverage.

Non-human identity sprawl is turning lifecycle governance into an access archaeology problem. When service accounts, API keys, and tokens are distributed across cloud, SaaS, and CI/CD environments, the difficulty is rarely policy intent. It is finding the current state, proving ownership, and closing the loop when access is no longer needed. That is why visibility and revocation remain central NHI governance failures. Practitioners need to re-evaluate whether their lifecycle process can actually discover and retire machine identities at scale.

Agentic AI forces a governance reset because access review was designed for access that persists long enough to be reviewed. That assumption fails when an actor can decide, select tools, and execute within a single runtime session. The implication is not just more controls, but a different mental model for identity assurance, one that treats execution timing and delegation behaviour as first-class governance variables.

Identity governance is converging on a single control question across humans, machines, and agents: can the organisation prove who or what held power at the moment action was taken? The category boundary between IAM, NHI governance, PAM, and AI oversight is narrowing because the accountability problem is the same even when the actor differs. Practitioners should expect lifecycle governance to become the shared language across these domains rather than a back-office admin function.

The market is moving toward governance models that combine lifecycle, privilege, and runtime visibility. Research like this suggests the next IGA battleground is not feature breadth but whether a programme can observe access in motion and close it when the identity is no longer trustworthy. Security leaders should plan for tighter alignment between IGA, PAM, and machine identity controls.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
• From our research: Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, showing a 4.5x gap when access is not scoped properly.
• To go deeper: Read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the offboarding and rotation controls that close the lifecycle gap.

What this signals

With 70% of organisations granting AI systems more access than human employees performing the exact same job, per The 2026 Infrastructure Identity Survey, the governance gap is no longer theoretical. Identity programmes that still separate human IAM from machine access will miss the control failure that matters most: entitlement decisions are being made without a stable model of actor behaviour.

Identity blast radius: the practical risk is not only how many identities exist, but how far any one credential can move when governance is weak. That is why lifecycle offboarding, ownership, and revocation need to be treated as one control chain rather than separate workstreams.

Teams should expect identity governance to become more tightly linked to runtime visibility and privileged access controls. If your programme cannot explain who or what had authority at the moment of action, it is not ready for agentic or machine-scale identity risk.

For practitioners

• Reconcile identity ownership across all actor types Create a single ownership model for humans, service accounts, API keys, and AI-driven identities so that every access path has a named accountable party and an offboarding trigger.
• Inventory machine identities before expanding certification cycles Find service accounts, tokens, certificates, and workload identities across cloud, SaaS, and CI/CD systems, then verify where each credential is stored and who can revoke it.
• Test whether access reviews still work for autonomous behaviour Walk through a scenario where an AI system selects tools and executes without a human approval loop, then check whether your current review, logging, and exception processes can capture that activity.
• Align IGA with PAM and lifecycle offboarding Use privileged access controls and revocation workflows to close the gap between entitlement approval and actual access removal, especially where credentials persist beyond their intended purpose.

Key takeaways

• Identity governance is failing where lifecycle models still assume human-paced access review and clean ownership.
• The evidence points to a widening control gap across non-human identities, autonomous systems, and over-privileged access paths.
• Practitioners need unified visibility, revocation, and privilege controls that work across humans, machines, and agents.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the control discipline that manages who or what gets access, how that access is reviewed, and when it is removed. In practice, it combines lifecycle workflows, entitlement visibility, certifications, and audit evidence across human, machine, and increasingly autonomous identities.
• Non-Human Identity: A non-human identity is any machine or software identity used to authenticate and act on systems, such as service accounts, API keys, tokens, certificates, or workload identities. These identities often outnumber human users and require lifecycle, privilege, and ownership controls that are separate from employee access management.
• Agentic AI Identity: Agentic AI identity refers to the access and governance model for AI systems that can decide actions, choose tools, and execute without a human approval gate. The key issue is not just authentication, but whether the organisation can constrain runtime behaviour, delegation, and privilege scope.
• Identity Blast Radius: Identity blast radius is the potential reach of harm when one identity is over-privileged, misgoverned, or compromised. It is a practical way to describe how far a credential can move across systems, data, and workflows before controls detect, contain, or revoke it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: analyst reports on identity governance, NHI, and agentic AI risk. Read the original.