Legacy infrastructure is the bottleneck in agentic AI governance

At a glance

What this is: Legacy IT is creating a visibility and control gap as AI tools and automated agents spread through the enterprise.

Why it matters: IAM teams now have to govern human, NHI, and emerging autonomous access patterns against infrastructure that was not built for fast, cross-domain identity decisions.

By the numbers:

• 37% of IT professionals view unauthorized access by automated agents as a serious security threat.
• Over 50% of enterprises find legacy IT actively slows their ability to scale.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read JumpCloud’s analysis of legacy IT, AI adoption, and identity risk

Context

Legacy infrastructure becomes a governance problem when identity, device, and application controls cannot keep up with how work now moves across people, service accounts, and AI-enabled tools. In that environment, visibility gaps are not just operational friction, they are access control failures. The article frames 2026 as the point where agentic use cases collide with old IT foundations.

For IAM and security teams, the practical issue is not whether AI can operate faster than humans. It is whether the identity layer can still explain who or what has access, why it has it, and when that access should end. The article argues that static, fragmented, vendor-bound environments make those questions harder to answer, especially as departments adopt tools outside central oversight.

Key questions

Q: How should security teams govern AI tools and automated agents in legacy environments?

A: Start by treating AI tools and automated agents as identity subjects with scoped access, owners, and review cycles. Place them under the same access governance as service accounts and privileged users, then limit permissions to the smallest task boundary possible. If the environment cannot centralise those controls, the governance gap is already part of the risk.

Q: Why do legacy systems make AI governance harder for IAM teams?

A: Legacy systems fragment identity, device, and application control, which makes it difficult to see who or what has access at any moment. AI governance depends on timely attribution, clean entitlements, and consistent policy enforcement. When those basics are split across tools and teams, automated access can expand faster than review processes can contain it.

Q: What breaks when automated agents have more access than human workers?

A: The main failure is not just overprivilege, it is loss of proportionality. If an automated agent can reach more systems than the person doing the same job, the organisation has effectively assigned machine-speed blast radius to routine work. That creates higher exposure, weaker accountability, and more difficult incident containment.

Q: Who should be accountable when departmental AI tools access sensitive systems?

A: Accountability should sit with the business owner, the platform owner, and the identity team together, because no single group can explain the full access chain alone. The owner must justify the access, security must constrain it, and IAM must be able to attest it. Without that shared model, governance becomes symbolic rather than operational.

Technical breakdown

Why legacy identity foundations fail under agentic AI

Legacy identity foundations assume changes are relatively slow, centrally visible, and tied to human-paced workflows. Agentic AI and departmental automation break that pattern because tool use, data access, and privilege requests can occur across many systems without a single control point. Once identity, device, and SaaS administration are fragmented, the security team loses the ability to reason about the full access path. That is not just a tooling gap. It is a structural mismatch between modern runtime behaviour and old governance assumptions.

Practical implication: consolidate identity and device control so AI-enabled access can be reviewed in one place.

Model Context Protocol and Agent2Agent as identity integration layers

Protocols such as MCP and A2A are not security controls by themselves. They are interoperability layers that let AI systems and business tools exchange context and actions in a standard way. That makes governance more important, not less, because standardised connectivity can also standardise blast radius if permissions are too broad. Identity teams need to think about who authorises tool connections, how those permissions are scoped, and how downstream actions are attributed when a model calls multiple services in sequence.

Practical implication: treat protocol adoption as an access-governance decision, not just an integration project.

Why zero trust must extend to automated agents

Zero Trust only works when every requester, whether human or machine, is continuously evaluated against context, privilege, and device state. Automated agents complicate that model because they can operate at departmental speed and across multiple data sets without a human in the loop for every request. If access is granted once and then reused broadly, the organisation has created standing trust for non-human actors. That undermines the very assumption Zero Trust is meant to remove.

Practical implication: apply least privilege and stepwise authorisation to machine and AI access paths, not only to user logins.

Threat narrative

Attacker objective: The objective is to exploit fragmented governance so machine access can move through the environment with less oversight than human access.

1. Entry occurs when departments adopt AI tools and automation outside central visibility, creating unmanaged access paths into corporate data and applications.
2. Escalation follows when automated agents are given broad permissions or can move through multiple systems without a consolidated identity review.
3. Impact is loss of visibility and control over software and data movement, which increases the chance of privilege misuse, overexposure, and ungoverned AI-driven action.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy identity tooling is the wrong control plane for agentic work. The article is really describing an identity governance failure, not just an IT modernization problem. When access decisions are split across legacy systems, AI tooling, and departmental shadow adoption, no single control plane can reliably answer who or what is acting. Practitioners should treat that fragmentation as the core risk surface, not the surrounding productivity story.

Model Context Protocol and A2A expand integration speed faster than governance maturity. Standardised agent-to-tool communication makes it easier for AI systems to reach data and services, but it also makes permission drift easier to hide. The security issue is not the protocol itself. It is the assumption that interoperability can outrun authorisation design. Teams need to re-evaluate how they scope and attest non-human access when tooling becomes conversational and multi-step.

Identity blast radius: legacy estates turn small access mistakes into enterprise-wide control failures. The article’s repeated warning about brittle foundations maps directly to blast radius, the distance a bad entitlement or unmanaged agent can travel before detection. This is where human IAM, NHI governance, and device trust converge. If the environment cannot contain an overbroad permission quickly, then the programme has already lost the ability to bound exposure.

Zero Trust is being tested by machine-speed access, not only by human users. The article’s strongest implication is that identity programmes now have to govern automated actors as first-class subjects. That means the old human assumption that access can be reviewed after the fact is no longer enough where tools and agents can act continuously. Practitioners should expect their Zero Trust model to be judged by how well it handles non-human execution paths.

Access review cadences were built for stable identities, not fluid agent behaviour. This is the assumption that is starting to break: access review presumes privilege persists long enough to be observed, certified, and remediated. When departments spin up AI tools quickly and inconsistently, the review window often arrives after the risk has already been absorbed into the environment. The implication is that governance must move from periodic oversight to continuous attribution and control.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• That gap is why our OWASP Agentic AI Top 10 matters for teams rethinking access paths, tool use, and delegated execution.

What this signals

Identity blast radius is becoming the right way to read AI governance risk. When access expands faster than policy, the question is not whether AI is useful. It is how far a mis-scoped identity can move before anyone notices. The operational test is whether identity, device, and application governance can still shorten the distance between entitlement and containment.

With 44% of organisations already managing AI agents with dedicated policies and 92% saying governance is critical, the market is moving, but unevenly. The teams that will be least surprised by agentic adoption are the ones that bind identity, device posture, and access review together now, instead of letting each department define its own rules. Top 10 NHI Issues is the right lens for that work.

The next maturity step is not more AI access. It is better attribution and smaller trust zones for every non-human actor that can touch production. That is where NHI governance and Zero Trust start to overlap in practice, especially once protocols like MCP and A2A become common integration fabric.

For practitioners

• Map unmanaged AI and automation entry points Inventory departmental tools, scripted workflows, and AI assistants that can reach production data or applications without central approval. Tie each one to an accountable owner, a declared identity type, and a known access path.
• Unify identity and device governance Bring user, service account, and AI-access policy into one operational view so security teams can see privilege, device posture, and tool usage together. Use the same review process for every actor that can touch sensitive systems.
• Re-scope non-human permissions to the task boundary Reduce standing access for bots, scripts, and AI-enabled tools to the minimum required for the current function. Where possible, require stepwise approval or re-authentication before a tool reaches new systems or higher-risk data.
• Build fallback options before platform lock-in hardens Qualify more than one vendor for critical identity, device, and collaboration capabilities so a pricing or roadmap change does not freeze your governance model in place. Optionality matters when AI adoption accelerates.

Key takeaways

• Legacy infrastructure is now an identity governance liability because it cannot keep pace with AI-driven access and tool sprawl.
• JumpCloud’s cited data shows the scale of the problem, with 37% of IT professionals worried about automated-agent access and more than half of enterprises saying legacy IT slows scaling.
• The practical response is to unify identity control, scope non-human access tightly, and design for continuous oversight rather than periodic review.

Key terms

• Identity blast radius: The amount of systems, data, and workflows that can be reached when one identity is over-permissioned or mismanaged. In NHI and agentic environments, blast radius is the practical measure of how far a mistake can spread before controls detect, contain, or revoke it.
• Agentic access: Access used by software that can decide, sequence, and execute actions at runtime rather than simply following a fixed script. For governance, that means the access path can change during a session, so owners must track purpose, scope, and expiry continuously.
• Unified identity governance: A control approach that manages human users, service accounts, and AI-enabled actors in one policy and review model. It reduces fragmentation between identity systems, device management, and application permissions, which is where many modern access failures begin.

Deepen your knowledge

AI-enabled identity sprawl and non-human access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rebuilding access controls for departmental AI and legacy estates, it is worth exploring.

This post draws on content published by JumpCloud: legacy infrastructure, AI adoption, and identity governance in the agentic future. Read the original.