IT consolidation, zero trust, and AI identity risks are converging

At a glance

What this is: JumpCloud’s Q3 2025 IT Trends Report says IT consolidation, zero trust, and AI governance are colliding, with only 19% reporting full IT unification.

Why it matters: This matters because IAM, NHI, and autonomous governance teams now have to treat operational simplification, visibility, and identity control as one programme rather than separate initiatives.

By the numbers:

• Only 19% have achieved full IT unification.
• IT professionals said the top three benefits of IT consolidation were an improved user experience (55%), increased job satisfaction among IT staff (54%), and a better focus on strategic work (51%).
• JumpCloud surveyed 828 IT leaders in the U.S. and U.K. at a 50/50 split.

👉 Read JumpCloud's Q3 2025 IT Trends Report on IT consolidation, Zero Trust, and AI risk

Context

IT consolidation is the effort to reduce fragmented identity, device, and access tooling into a smaller, more governable operating model. In this report, the real issue is not consolidation for its own sake, but the gap between what IT teams need to control and what fragmented environments let them see, review, and enforce across human users, non-human identities, and AI systems.

That gap matters because unification, zero trust, and AI governance are now converging into the same programme pressure. When access, policy, and visibility are split across tools, teams lose the ability to reason cleanly about privilege scope, review cycles, and the trust assumptions behind machine and agent access.

The article’s starting point is typical for mid-market IT: enough complexity to create governance drag, but not enough centralisation to absorb it cleanly. That makes the findings relevant beyond one vendor’s platform story, because the control problem is structural.

Key questions

Q: How should teams reduce identity risk when IT environments stay fragmented?

A: Start by identifying every place where access can be granted, changed, or revoked, then remove duplicate approval paths and orphaned controls. The objective is not tool reduction alone, but a governable identity path that covers human users, service accounts, and AI-connected workloads without gaps between systems.

Q: Why do fragmented IT environments make zero trust harder to enforce?

A: Zero trust depends on continuous verification across a complete access path. Fragmentation breaks that path into disconnected tools, which makes it harder to prove who or what is authenticated, authorised, and still in scope. The result is policy on paper without consistent enforcement in operations.

Q: How do security teams govern AI systems that use internal credentials?

A: Treat them as identity-bearing workloads with named owners, explicit access boundaries, and reviewable entitlements. Give them only the minimum reach needed for the task, then review their access as lifecycle-managed identity rather than as a one-off integration.

Q: What should organisations measure to know if identity consolidation is working?

A: Measure whether teams can answer access questions faster, trace entitlements across fewer systems, and reduce the number of exceptions that exist only because controls are split apart. If governance still depends on manual reconciliation, consolidation has not yet produced real control improvement.

Technical breakdown

IT unification and identity governance

IT unification is not just tool reduction. It is the process of bringing identity, device, access, and policy enforcement into a model that can be governed consistently. In fragmented environments, access reviews, policy exceptions, and privilege assignment often live in separate systems, which makes it harder to maintain a reliable view of who or what has access. For NHI and AI-heavy environments, that fragmentation is especially dangerous because credentials and workloads often outlive the operational context that created them.

Practical implication: map where identity decisions are made today and remove duplicate control points that block end-to-end visibility.

Zero trust visibility for human and machine access

Zero trust depends on continuous verification, but verification is only useful when teams can see the full access path. If identity, device, and application access are handled separately, the organisation may have zero trust language without zero trust execution. That creates blind spots for both humans and non-human identities, especially where service accounts, tokens, and administrative workflows are spread across multiple control planes. Visibility becomes the prerequisite control, not a reporting afterthought.

Practical implication: consolidate the telemetry needed to validate access decisions across human and non-human identities.

AI adoption is turning NHI governance into a core IT control

The report frames AI as an operational frontier because it introduces new identity subjects that do not behave like employees or classic service accounts. AI systems can interact with internal tools, integrate with sensitive systems, and create misuse paths that look normal until they are abused. That raises the governance bar for secrets handling, least privilege, and approval boundaries. The key technical point is that AI does not remove the need for identity control, it increases the number of identities that need disciplined control.

Practical implication: treat AI-connected systems as identity-bearing workloads and review their access paths with the same discipline as other privileged entities.

NHI Mgmt Group analysis

IT consolidation is now an identity security problem, not just an operations problem. When only 19% of organisations have fully unified IT, the control surface is still too fragmented for reliable identity governance. That fragmentation matters across human IAM, NHI security, and AI governance because access decisions lose consistency when the evidence is split across tools. Practitioners should read consolidation as a control architecture decision, not a procurement preference.

AI adoption is expanding the NHI population faster than most governance programmes can describe it. The article’s AI findings show that the identity perimeter now includes workloads, integrations, tokens, and AI-connected systems that behave like operational actors rather than passive software. Existing IAM models were built for more stable subjects and cleaner ownership lines. Practitioners need to reframe AI not as a feature layer, but as a source of identity sprawl that changes entitlement management.

Zero trust fails operationally when visibility is incomplete at the identity layer. You cannot continuously verify what you cannot consistently observe, and fragmented IT makes that a recurring governance weakness. The report’s message is that user experience, staff satisfaction, and strategic focus all improve when access control is simplified, but the security value comes from making policy enforceable across every identity type. The implication is straightforward: separate control planes create separate trust assumptions.

Unified identity control is becoming the only viable way to keep human, machine, and agent access governable at scale. The report points to the broader market direction: organisations want flexible systems, not monoliths, but they also need a common governance layer. That tension is where modern identity programmes are heading. The practitioner conclusion is to design for unified enforcement even when the underlying platforms remain diverse.

Identity blast radius is the right concept for this report’s core risk. Fragmented IT increases the number of places where privilege can be issued, forgotten, or mis-scoped. Once AI systems and NHIs enter that environment, the blast radius is no longer limited to human access mistakes. The implication is that teams should measure governance by how far identity drift can propagate, not by how many tools they own.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which is why old lifecycle assumptions are already under strain.
• For the governance model behind that shift, see Ultimate Guide to NHIs , 2025 Outlook and Predictions for the broader identity direction.

What this signals

Identity consolidation is becoming the practical way to absorb AI governance pressure. JumpCloud’s findings point to a simple programme reality: if access, device, and policy controls remain scattered, the organisation will struggle to govern both human and non-human identities with any consistency. The response is not just fewer tools, but a cleaner identity operating model that shortens the path from decision to enforcement.

With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the governance gap is structural. The problem is no longer whether AI is adopted, but whether access models still reflect how those systems behave at runtime. Teams should prepare for entitlement sprawl, not as a future risk, but as an immediate design constraint.

Identity blast radius will become the key metric for consolidation decisions. The next phase of IT unification is not about platform simplicity alone. It is about whether the organisation can keep human IAM, machine identity, and AI access inside one observable trust path. That is the measure that will separate cosmetic consolidation from genuine governance maturity.

For practitioners

• Inventory identity control points across the stack Map where authentication, authorisation, access review, and secrets handling occur across HR, IAM, PAM, cloud, and AI-connected systems. The goal is to find duplicate policy enforcement and blind spots where no single team can explain who granted access or why.
• Consolidate visibility before consolidating policy exceptions Bring logs, entitlement data, and workload access signals into a shared view so that review teams can trace human and non-human access in one place. Use that view to reduce exception handling that exists only because the system is fragmented.
• Classify AI-connected systems as identity-bearing workloads Assign ownership, access boundaries, and review cadence to every AI integration that can reach internal data or tools. Do not let AI access sit outside the same lifecycle and approval discipline used for service accounts and privileged automation.
• Measure governance by trust-path length and privilege drift Track how many systems must be consulted to answer a basic access question, and how often access outlives its original business justification. Shorter trust paths and lower drift are better indicators than tool count or policy volume.

Key takeaways

• JumpCloud’s report shows that consolidation, zero trust, and AI governance are now one control problem, not three separate ones.
• Only 19% of organisations have fully unified IT, which leaves most teams trying to govern access across fragmented control planes.
• The practical response is to unify identity visibility and enforcement before AI and NHI sprawl make governance even harder to contain.

Key terms

• IT unification: IT unification is the consolidation of identity, device, access, and policy controls into a more consistent operating model. It does not mean one product for everything. It means fewer disconnected control points, clearer ownership, and a better chance of enforcing access decisions across human and non-human identities.
• Identity blast radius: Identity blast radius is the amount of damage that can spread when access is mis-scoped, forgotten, or abused. In fragmented environments, it grows because each system can create its own trust assumption. For AI and NHI programmes, it is a practical measure of how far a control failure can propagate.
• Identity-bearing workload: An identity-bearing workload is any non-human system that can authenticate, hold credentials, or reach other systems with meaningful access. This includes service accounts, tokens, integrations, and AI-connected systems. The key governance point is that these workloads need ownership, lifecycle handling, and review, not just technical connectivity.
• Zero trust visibility: Zero trust visibility is the ability to observe enough of the access path to verify it continuously. Without it, policy cannot be enforced consistently, especially when identities are spread across cloud, device, and application layers. Visibility is therefore a control prerequisite, not only an audit function.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by JumpCloud: Q3 2025 IT Trends Report. Read the original.