Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI and identity governance: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: BCG's Build for the Future 2025 report says only 5% of companies are generating substantial value from AI, with leaders seeing twice the revenue growth and 40% greater cost reductions, while agentic AI already represents 17% of AI value in 2025 and is projected to reach 29% by 2028 according to the source article. The governance problem is no longer whether AI is useful, but whether identity, access, and accountability controls can keep pace with autonomous workflow execution.

NHIMG editorial — based on content published by Opnova: The 5% Club, Why Agentic AI Is the Dividing Line Between Leaders and Left-behinds

By the numbers:

Questions worth separating out

Q: How should security teams govern autonomous AI agents in production workflows?

A: Treat autonomous agents as governed actors, not just applications.

Q: Why do agentic AI systems create more identity risk than conventional automation?

A: Conventional automation follows a pre-set script, so its access can be reviewed against a known path.

Q: What breaks when an AI system can choose tools and actions on its own?

A: What breaks is the assumption that access can be safely provisioned once and reviewed later.

Practitioner guidance

  • Classify every agent by operational authority Separate passive assistants, bounded workflow automations, and autonomous agents that can initiate actions without human approval.
  • Bind agent permissions to task scope and data class Limit tool use, data access, and downstream actions to explicitly authorised workflow scopes.
  • Require named accountability for each agentic workflow Assign a business owner, an operational owner, and an incident responder for every agent that can trigger business-impacting actions.

What's in the full article

Opnova's full blog covers the operational detail this post intentionally leaves for the source:

  • The article's full AI value discussion, including how BCG frames the 5% of companies leading on value capture.
  • The composable AI agent angle and how Opnova positions workflow automation across disconnected applications.
  • The business transformation framing behind the 10-20-70 rule and how teams are expected to act on it.
  • The vendor's product context for identity governance in disconnected applications, which this post does not evaluate.

👉 Read Opnova's analysis of why agentic AI is widening the AI value gap →

Agentic AI and identity governance: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Agentic AI is not just another automation layer, it is a governance break from human-paced access control. The article's core claim is really about value creation, but the identity implication is stronger: autonomous systems alter how access is initiated, combined, and consumed. That makes existing IAM and NHI assumptions about stable sessions and predictable action paths less reliable. Practitioners should read this as a shift from application access to behaviour governance.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why identity governance still fails at the point of control.

A question worth separating out:

Q: Who is accountable when an autonomous agent causes a business or security incident?

A: Accountability should sit with the business owner of the workflow, not with the model alone. The organisation needs a named owner for authorisation, monitoring, and remediation because an autonomous system can act faster than human review. Without that ownership chain, incident response becomes a coordination problem instead of a control problem.

👉 Read our full editorial: Agentic AI is widening the identity governance gap for enterprises



   
ReplyQuote
Share: