TL;DR: Omada’s 2026 State of Identity Governance report, based on research with 577 identity, IAM, and cybersecurity leaders, finds that non-human identities often outnumber human identities by 50:1 or more while 85% of organisations are already using or piloting agentic AI. The governance problem is not adoption itself, but the gap between executive confidence and leading indicators such as privileged coverage, orphaned accounts, and revocation timing.
At a glance
What this is: Omada’s identity governance report says NHI growth and agentic AI adoption are outpacing the metrics and controls leaders use to manage them.
Why it matters: IAM teams need to shift from reporting activity to measuring exposure because scale, ownership, and accountability are diverging faster than current governance models can track.
By the numbers:
- Non-human identities now outnumber human identities in most organisations, often by factors of 50:1 or more.
👉 Read Omada Identity's State of Identity Governance 2026 report
Context
Identity governance is failing where scale has moved beyond human-paced review cycles. As non-human identities multiply and agentic AI enters production workflows, organisations can no longer rely on reporting that mainly tracks provisioning speed, audit readiness, or incident counts. The primary keyword here is identity governance, and the core question is whether current programmes can actually see risk before it becomes a breach or compliance failure.
Omada’s report shows a familiar pattern across NHI, AI agent, and human identity programmes: confidence is high, but the measurements are shallow. Ownership is spread across teams, executive visibility is skewed toward operational activity, and the controls that matter most, such as privilege coverage, orphaned accounts, and time to revoke access, are not consistently tracked.
That creates a governance blind spot, not just a tooling gap. When Zero Trust is nearly universal but visibility remains fragmented, identity teams need a model that connects lifecycle, access, and ownership across human users, service identities, and emerging agentic systems.
Key questions
Q: How should teams measure whether identity governance is actually reducing risk?
A: Track exposure, not just activity. The most useful indicators are privileged access coverage, orphaned identities, time to revoke access, and ownership completeness. If reporting only shows provisioning volume, audit completion, or incident counts, it may describe operational motion without revealing whether access is becoming safer.
Q: Why do non-human identities create governance problems at scale?
A: Because volume changes the governance unit. When NHI populations dwarf human identities, manual ownership tracking, exception handling, and periodic reviews stop being reliable enough to prevent privilege creep. At that point, teams need population-level governance, not ad hoc account-by-account oversight.
Q: What do organisations get wrong about agentic AI identity controls?
A: They often assume policy language equals enforcement. Unique identities and rotating credentials may exist on paper, but the real test is whether agentic systems are bound to verifiable runtime identity, constrained actions, and auditable ownership in production.
Q: Who is accountable when identity governance metrics do not reflect real exposure?
A: Accountability sits with the identity, security, and platform owners who define the measurement model, not just the teams operating the tools. If leadership reports only output metrics, they are accountable for the blind spot. Governance needs named ownership for both the identities and the indicators used to judge them.
Technical breakdown
Why identity metrics matter more than activity metrics
Identity governance programmes often over-index on throughput because provisioning, audit completion, and incident counts are easy to report. Those figures describe operational motion, not exposure. The more useful control signals are ownership, privileged access coverage, orphaned identity counts, and revocation time because they show whether governance can still constrain access after identities proliferate. In environments where automation creates thousands of machine identities, reporting that ignores exposure density gives leaders a false sense of control.
Practical implication: replace activity-only dashboards with exposure metrics that show where access is persistent, unowned, or slow to revoke.
How agentic AI changes identity governance assumptions
Agentic AI introduces runtime decision-making into identity governance because the actor can initiate actions, select tools, and pursue tasks in ways that do not fit static approval models. That matters because unique identities and rotating credentials, while necessary, do not by themselves solve the governance problem if leaders still assume they can review access after the fact. Once access is created, used, and discarded at machine speed, the control model has to account for execution, not just entitlement.
Practical implication: govern agentic systems as active identities with lifecycle, ownership, and monitoring requirements, not as ordinary applications.
Zero Trust without unified visibility becomes fragmented enforcement
Zero Trust depends on continuous verification, but verification is only as good as the identity signals feeding it. The report points to interoperability problems across identity and security platforms, which means organisations may have many controls but still lack a unified view of entitlement, ownership, and revocation status. In practice, that produces local enforcement and global blind spots, especially when NHI sprawl crosses cloud, SaaS, and AI workflows.
Practical implication: align identity data across IGA, PAM, and security tooling so Zero Trust decisions are based on the same authoritative identity record.
NHI Mgmt Group analysis
Identity governance has become a continuous exposure-management problem, not a compliance reporting exercise. The report’s central signal is that organisations are measuring what is easiest to count, not what actually predicts identity risk. Provisioning speed and incident totals do not tell leaders whether identities are owned, constrained, or recoverable. The implication is that identity governance now has to be judged by exposure reduction, not administrative output.
50:1 NHI scale changes the governance unit from account to population. When non-human identities outnumber people by that margin, ownership and accountability can no longer be managed through team-by-team exception handling. That scale also means orphaned accounts and untracked privileges become systemic, not edge cases. Practitioners should treat NHI sprawl as a population-control problem, not an isolated access-review problem.
Governance expectations for AI agents are ahead of operational reality. The report says executives are more likely than practitioners to believe stronger controls such as unique identities and rotating credentials are in place for AI agents. That mismatch is a governance signal in itself: policy intent is not the same as enforceable control. The implication is that AI agent governance must be validated against actual execution paths, not executive narratives.
Zero Trust is only as strong as the identity telemetry underneath it. Near-universal adoption does not eliminate fragmentation when identity and security platforms cannot produce a shared view. This is where the identity governance model and the Zero Trust model intersect: verification, least privilege, and continuous monitoring all depend on authoritative identity data. Practitioners should regard visibility gaps as control failures, not just reporting limitations.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- In the same research, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly identity governance breaks when delegated access is outside direct control.
- For a broader view of lifecycle failure modes, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how ownership, rotation, and offboarding should be structured.
What this signals
NHI visibility debt: When identity teams cannot reliably see orphaned accounts, privilege coverage, or revocation timing, they are carrying a governance liability that accumulates faster than audit cycles can clear it. That makes lifecycle discipline and telemetry quality more important than headline adoption numbers.
The report’s findings suggest that AI agent programmes will be judged less by deployment velocity and more by whether their identities are governable at runtime. If security teams cannot prove where agentic access begins and ends, confidence will outpace control.
For practitioners, the next step is not another dashboard. It is a shared identity record that ties ownership, entitlement, and revocation status together across IGA, PAM, and Zero Trust operations.
For practitioners
- Rebuild executive reporting around exposure indicators Replace vanity metrics with leading indicators such as privileged access coverage, orphaned account counts, and time to revoke access. Those measures show whether identity governance is actually reducing blast radius across NHI, AI agent, and human identities.
- Map ownership for every non-human identity Require a named business or technical owner for each service account, API key, token, certificate, and AI agent identity. If accountability is shared across teams, the identity is effectively ungoverned even when it appears in inventory.
- Validate AI agent controls against real runtime behaviour Check whether unique identities, credential rotation, and access boundaries exist only in policy or are enforced in production workflows. If agentic systems can act without a verifiable identity record, governance is aspirational rather than operational.
- Unify identity telemetry across IGA, PAM, and security platforms Establish one authoritative identity view for entitlement, lifecycle state, and revocation status so Zero Trust decisions use consistent data. Fragmented tooling makes it easy to report compliance while missing exposed accounts and stale privileges.
Key takeaways
- The report shows a widening gap between identity activity and identity risk, with governance metrics lagging behind real exposure.
- Scale is the forcing function, because NHI populations and agentic AI adoption are already outpacing human-centred review models.
- Practitioners should move reporting toward ownership, privilege coverage, and revocation speed so identity governance reflects actual control, not administrative output.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The report highlights ownership gaps and poor visibility across fast-growing NHI populations. |
| NIST CSF 2.0 | PR.AC-4 | Identity reporting should prove access is authorized, bounded, and revocable across systems. |
| NIST Zero Trust (SP 800-207) | GV.AT-01 | Zero Trust depends on authoritative identity data, which the report says is fragmented. |
Use a shared identity record so Zero Trust decisions reflect consistent entitlement and ownership data.
Key terms
- Non-Human Identity: A non-human identity is any machine or software identity used to authenticate and authorize work on behalf of a system, service, or process. It includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents when they act independently in production.
- Identity Governance: Identity governance is the discipline of defining, reviewing, and proving who or what should have access, why it has it, and when that access should end. In practice, it combines lifecycle control, ownership, certification, and evidence generation across human and non-human identities.
- Privileged Access Coverage: Privileged access coverage is the proportion of high-risk identities and entitlements that are governed by explicit controls such as ownership, approval, monitoring, and review. It is a better risk indicator than raw account counts because it shows how much sensitive access is actually contained.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Omada Identity: State of Identity Governance 2026 report. Read the original.
Published by the NHIMG editorial team on 2026-02-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org