TL;DR: Legacy identity governance struggles when AI agents, machine identities, and cloud access change faster than periodic review cycles can see, according to SailPoint. Continuous governance, JIT access, and automated privilege discovery now define the practical baseline for teams trying to control non-human identity risk.
NHIMG editorial — based on content published by SailPoint: The next chapter of adaptive identity: From vision to market-leading reality
Questions worth separating out
Q: How should security teams govern AI agents and machine identities differently from human accounts?
A: They should treat AI agents and machine identities as runtime entities, not as periodic attestation records.
Q: Why do standing privileges create so much risk in non-human identity programmes?
A: Standing privilege creates risk because it leaves powerful access available long after the task that justified it is over.
Q: What should teams look for when privilege discovery is failing?
A: They should look for identities that appear low risk on paper but can reach sensitive systems through inherited roles, delegated access, or indirect routes.
Practitioner guidance
- Replace periodic certification with continuous governance checks Track entitlement changes for machine identities and AI agents as they happen, then trigger review when privilege expands rather than waiting for the next access review cycle.
- Collapse standing privilege into task-scoped elevation Use just-in-time access patterns for sensitive applications and infrastructure so high-risk privilege exists only for the duration of the approved task.
- Map indirect privilege paths in identity graphs Look beyond direct assignments and document inherited roles, delegated access, and hidden routes into sensitive systems before you rely on recertification evidence.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Product-level description of the new AI agent connectors for Microsoft 365 Copilot and Google Gemini
- How SailPoint's Identity Graph visualises direct and indirect privilege pathways in practice
- The specific workflow changes behind the Harbor Pilot Access Request Agent
- The vendor's framing of how its lifecycle management capabilities are being extended for machine accounts
👉 Read SailPoint's analysis of adaptive identity for AI agents and machine identities →
Adaptive identity for AI agents and machines: what changes now?
Explore further
Adaptive identity is a response to governance lag, not a rebranding exercise. Traditional IAM assumes access can be granted, reviewed, and removed on human time. That assumption fails when machine identities and AI agents can change privilege on demand and disappear before the next certification cycle. The implication is that governance models built around periodic proof no longer describe the real state of access.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which shows the governance model is already changing.
A question worth separating out:
Q: Who is accountable when machine identities retain access after they should be retired?
A: Accountability usually sits across IAM, platform, and application owners, but the control failure is governance not ownership alone. If decommissioning is not tied to the same lifecycle record that granted access, the identity outlives its purpose. That is why offboarding must be an enforced state change, not a manual follow-up.
👉 Read our full editorial: Adaptive identity and AI agents are reshaping identity governance