Agentic AI governance gaps: are your controls keeping up?

TL;DR: 82% of organisations are already using AI agents, but only 44% have formal policies to manage them, according to JumpCloud, underscoring a widening governance gap that leaves autonomy, data handling, and compliance exposed. The real issue is that identity and access controls built for scripted automation do not cover agentic behaviour.

NHIMG editorial — based on content published by JumpCloud: Who Let the Bot In? Control Agentic AI Before It Goes Too Far

By the numbers:

• 82% of organisations are already using AI agents, only 44% have formal policies in place to manage them.

Questions worth separating out

Q: How should security teams govern AI agents that act like identities?

A: Security teams should assign each AI agent a unique identity, set explicit access boundaries, and monitor activity in real time.

Q: Why do AI agents create governance gaps in IAM programmes?

A: AI agents can choose actions at runtime, so they may exceed the assumptions behind static IAM controls.

Q: What breaks when organisations treat AI agents like ordinary automation?

A: Ordinary automation is predictable, but agentic systems can select tools and timing dynamically.

Practitioner guidance

• Assign unique identities to each agent Eliminate shared agent credentials and bind every production agent to a named owner, a fixed purpose, and a distinct audit trail.
• Tie agent entitlements to explicit workflow boundaries Document which data sources, tools, and execution contexts each agent may use, then deny everything else by default.
• Add real-time monitoring to agent activity Track tool calls, data access, and downstream actions as live identity events so unusual behaviour is detected during execution, not after a review cycle.

What's in the full report

JumpCloud's full report covers the operational detail this post intentionally leaves for the source:

• Risk Readiness Checklist elements for assessing how prepared your organisation is to govern agentic AI.
• Practical guidance on assigning a unique identity to each agent and monitoring actions in real time.
• The report's full framing of the identity-first governance model for security and IT leaders.
• Context on the adoption and policy gap that prompted the report's recommendations.

👉 Read JumpCloud's report on agentic AI governance and readiness →

Agentic AI governance gaps: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →