Agentic AI and identity governance: what changes for IAM teams?

TL;DR: BCG's Build for the Future 2025 report says only 5% of companies are generating substantial value from AI, with leaders seeing twice the revenue growth and 40% greater cost reductions, while agentic AI already represents 17% of AI value in 2025 and is projected to reach 29% by 2028 according to the source article. The governance problem is no longer whether AI is useful, but whether identity, access, and accountability controls can keep pace with autonomous workflow execution.

NHIMG editorial — based on content published by Opnova: The 5% Club, Why Agentic AI Is the Dividing Line Between Leaders and Left-behinds

By the numbers:

• Only 5% of companies are generating substantial value from AI, and those leaders are pulling away fast.
• Leaders see twice the revenue increase and 40% greater cost reductions than companies still sitting on the sidelines.
• Agentic AI already accounts for 17% of AI value in 2025 and is expected to reach 29% by 2028.

Questions worth separating out

Q: How should security teams govern autonomous AI agents in production workflows?

A: Treat autonomous agents as governed actors, not just applications.

Q: Why do agentic AI systems create more identity risk than conventional automation?

A: Conventional automation follows a pre-set script, so its access can be reviewed against a known path.

Q: What breaks when an AI system can choose tools and actions on its own?

A: What breaks is the assumption that access can be safely provisioned once and reviewed later.

Practitioner guidance

• Classify every agent by operational authority Separate passive assistants, bounded workflow automations, and autonomous agents that can initiate actions without human approval.
• Bind agent permissions to task scope and data class Limit tool use, data access, and downstream actions to explicitly authorised workflow scopes.
• Require named accountability for each agentic workflow Assign a business owner, an operational owner, and an incident responder for every agent that can trigger business-impacting actions.

What's in the full article

Opnova's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full AI value discussion, including how BCG frames the 5% of companies leading on value capture.
• The composable AI agent angle and how Opnova positions workflow automation across disconnected applications.
• The business transformation framing behind the 10-20-70 rule and how teams are expected to act on it.
• The vendor's product context for identity governance in disconnected applications, which this post does not evaluate.

👉 Read Opnova's analysis of why agentic AI is widening the AI value gap →

Agentic AI and identity governance: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →