Agentic AI and the A2A economy: what IAM teams should watch

TL;DR: Agentic AI is shifting digital interactions from human-led workflows to AI-to-AI transactions, with machine and service identities now outnumbering human identities by 80-to-1 or more in large enterprises, according to Gathid. That makes intent, policy enforcement and auditability the new control points, because classic SEO and static governance do not hold up at machine speed.

NHIMG editorial — based on content published by Gathid: Agentic AI is arriving faster than governance, faster than marketing and faster than our language

By the numbers:

• In large enterprises, machine and service identities now outnumber human identities by 80-to-1 or more.
• About one-quarter of U.S. adults use AI for shopping, according to an AP-NORC poll in July 2025.
• Traditional link clicks fell to 8% of visits with an AI summary versus 15% without, according to Pew Research Center.

Questions worth separating out

Q: How should security teams govern AI agents that act across multiple systems?

A: Security teams should govern AI agents as explicit non-human identities with owned lifecycle records, scoped permissions and revocation paths.

Q: Why do AI agents create a different identity risk than ordinary automation?

A: AI agents create different risk because they do not just follow a predefined script.

Q: When should organisations treat agent intent as part of identity governance?

A: Organisations should treat agent intent as part of identity governance whenever the system can initiate actions, access data or coordinate with other services without human approval for each step.

Practitioner guidance

• Define agent identity ownership and lifecycle Assign a business owner, technical custodian and revocation path for every agent that can act independently.
• Bind agent intent to enforcement points Require policy engines in code paths, telemetry collection and revocation hooks before any agent is allowed to touch production data or customer-facing workflows.
• Map agent actions to zero trust principles Use least-privilege scopes, continuous verification and explicit data boundaries for each agent session.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• How the article frames intent passports for agents that act on behalf of a principal
• The way Gathid distinguishes ambient, task and chained agents in operational terms
• The marketing-specific risk categories tied to financial, ethical and environmental exposure
• The article's discussion of how brand governance changes when AI becomes the first touchpoint

👉 Read Gathid's analysis of agentic AI, identity and the A2A economy →

Agentic AI and the A2A economy: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →