Notifications
Clear all
Topic starter
06/06/2026 1:51 am
TL;DR: Agent user identities are scaling far faster than human ones, with Gartner projecting agentic AI in 33% of enterprise applications by 2028 and 50x to 80x more agents than users, according to Strata Identity. Static IAM assumptions break when agents reason and act at runtime, making task-scoped, ephemeral access the only containment model that matches their speed.
NHIMG editorial — based on content published by Strata Identity: agent sprawl and AI identity governance
By the numbers:
- Gartner projects that 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.
- Organizations are expected to have 50x to 80x more agents than human users in their environments within that same window.
Questions worth separating out
Q: How should security teams handle agent sprawl in enterprise environments?
A: Start by treating every AI agent as a governed identity subject with its own lifecycle, credential path, and access scope.
Q: Why do agentic workflows break traditional IAM assumptions?
A: Traditional IAM assumes identities are relatively stable and can be reviewed on a human cadence.
Q: What do security teams get wrong about OAuth scopes for AI agents?
A: Teams often grant broad scopes to make an agent work quickly, then assume later review will contain the risk.
Practitioner guidance
- Audit every agent-issued credential path Map API keys, OAuth tokens, service accounts, and certificates used by agents, then identify where the same identity is reused across multiple applications or teams.
- Replace standing access with task-scoped grants Issue permissions only for a single workflow or tool invocation, and require automatic expiry when the task finishes so access does not persist for reuse.
- Route all agent tool access through a governed identity layer Block direct connectors and shadow integrations that bypass policy enforcement, then require every agent request to pass through the sanctioned control plane.
What's in the full article
Strata Identity's full post covers the operational detail this analysis intentionally leaves for the source:
- Identity fabric architecture for routing every agent request through a consistent control plane
- AI Identity Gateway behaviour for downscoping tokens before an agent touches a resource
- Continuous Access Evaluation and identity simulation testing for runtime enforcement
- Practical guidance on avoiding custom integrations that create agent credential sprawl
👉 Read Strata Identity's analysis of agent sprawl and AI identity governance →
Agent sprawl and runtime access control: are IAM controls keeping up?
Explore further
06/06/2026 3:13 am
Agent sprawl is now an identity governance problem, not an AI experimentation problem. The article’s core finding is that every new agent creates a credential path, an access path, and a review burden that classic IAM never sized for. That means security teams are no longer managing a tooling subset, they are managing a new identity population with machine-speed growth. The practitioner conclusion is straightforward: agent governance must be designed as part of identity architecture, not bolted on after deployment.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do organisations stop agents from bypassing identity governance controls?
A: They need to eliminate direct access paths that sit outside the policy layer, including shadow connectors and ad hoc integrations. Every agent request should be forced through the governed identity layer so the organisation keeps intent, policy enforcement, and auditability intact. If those signals are missing, governance is already incomplete.
👉 Read our full editorial: Agent sprawl is breaking identity governance for autonomous systems
