TL;DR: Agentic AI is shifting digital interactions from human-led workflows to AI-to-AI transactions, with machine and service identities now outnumbering human identities by 80-to-1 or more in large enterprises, according to Gathid. That makes intent, policy enforcement and auditability the new control points, because classic SEO and static governance do not hold up at machine speed.
NHIMG editorial — based on content published by Gathid: Agentic AI is arriving faster than governance, faster than marketing and faster than our language
By the numbers:
- In large enterprises, machine and service identities now outnumber human identities by 80-to-1 or more.
- About one-quarter of U.S. adults use AI for shopping, according to an AP-NORC poll in July 2025.
- Traditional link clicks fell to 8% of visits with an AI summary versus 15% without, according to Pew Research Center.
Questions worth separating out
Q: How should security teams govern AI agents that act across multiple systems?
A: Security teams should govern AI agents as explicit non-human identities with owned lifecycle records, scoped permissions and revocation paths.
Q: Why do AI agents create a different identity risk than ordinary automation?
A: AI agents create different risk because they do not just follow a predefined script.
Q: When should organisations treat agent intent as part of identity governance?
A: Organisations should treat agent intent as part of identity governance whenever the system can initiate actions, access data or coordinate with other services without human approval for each step.
Practitioner guidance
- Define agent identity ownership and lifecycle Assign a business owner, technical custodian and revocation path for every agent that can act independently.
- Bind agent intent to enforcement points Require policy engines in code paths, telemetry collection and revocation hooks before any agent is allowed to touch production data or customer-facing workflows.
- Map agent actions to zero trust principles Use least-privilege scopes, continuous verification and explicit data boundaries for each agent session.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How the article frames intent passports for agents that act on behalf of a principal
- The way Gathid distinguishes ambient, task and chained agents in operational terms
- The marketing-specific risk categories tied to financial, ethical and environmental exposure
- The article's discussion of how brand governance changes when AI becomes the first touchpoint
👉 Read Gathid's analysis of agentic AI, identity and the A2A economy →
Agentic AI and the A2A economy: what IAM teams should watch?
Explore further
Agentic AI is not just another automation layer, it is a new identity class with governance consequences. Once an agent can observe, decide and act with little human involvement, the enterprise is no longer managing a static workload or a simple service identity. The control problem expands from access assignment to delegated behaviour, runtime scope and revocation. Practitioners should treat this as a structural identity shift, not a tooling enhancement.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree governing them is critical to enterprise security.
A question worth separating out:
Q: What breaks when agent controls are not tied to enforcement points?
A: When agent controls are not tied to enforcement points, the result is policy theater. The organisation may document constraints, but the agent can still act outside them because no code path, telemetry or revocation mechanism actually stops the behaviour. Governance becomes retrospective instead of preventive.
👉 Read our full editorial: Agentic AI is remaking marketing identity and governance