TL;DR: Deloitte’s 2025 Technology Predictions report says 50% of generative-AI companies will deploy agentic solutions by 2027, while AuthMind argues that traditional IAM and IGA tools cannot see, classify, or govern these autonomous identities well enough to control access, audit behaviour, or contain shadow usage. That makes identity observability a governance requirement, not an optional add-on.
NHIMG editorial — based on content published by AuthMind: Agentic AI, autonomous systems are a new type of identity in our environments
By the numbers:
- 50% of companies using generative AI will deploy agentic solutions by 2027.
Questions worth separating out
Q: How should security teams govern agentic AI identities across corporate and personal access paths?
A: They should correlate agent activity to a trusted identity source before they enforce policy.
Q: Why do autonomous AI agents create problems for traditional IAM and IGA controls?
A: Because those controls assume the actor's access can be defined and reviewed as a stable entitlement.
Q: What signs show that AI agent access has moved outside approved governance boundaries?
A: Look for unexpected system calls, data access that does not match the original task, personal identities used for corporate AI access, and agents connecting to unapproved services.
Practitioner guidance
- Map every AI access path to a real identity source Correlate corporate logins, personal email usage, workload identities, and agent runtime identities into one governed view so unmanaged access does not hide behind separate account types.
- Instrument behavioural telemetry for AI actions Capture the who, what, when, where, and why of agent activity, then alert on unusual data access, unexpected system calls, or task drift that changes the original purpose of the agent.
- Separate sanctioned agent use from shadow usage Require explicit approval boundaries for approved AI tools, then treat access from personal identities or unmanaged endpoints as a governance exception until it is mapped and reviewed.
What's in the full article
AuthMind's full article covers the operational detail this post intentionally leaves for the source:
- How AuthMind maps approved and unapproved AI identities into a single view across clouds and endpoints
- The vendor's behavioural profiling workflow for detecting when an agent deviates from normal access patterns
- Examples of how the platform distinguishes compromised users from compromised agents in live environments
- The article's detailed breakdown of visibility gaps across sales, finance, HR, IT, and cybersecurity use cases
👉 Read AuthMind's analysis of identity observability for agentic AI security →
Agentic AI visibility gaps: what IAM teams need to fix?
Explore further
Identity observability is becoming the practical control layer for agentic AI. Traditional IAM and IGA are built to manage stable identities and predeclared access paths, but agentic systems can act, re-route, and expand their own activity at runtime. That makes the observed action trail more important than the assigned role. For practitioners, the field is moving from entitlement management to behaviour evidence.
A few things that frame the scale:
- From our research: 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent uses corporate data in the wrong way?
A: Accountability sits with the organisation that allowed the identity path, policy scope, and monitoring model to remain ambiguous. If the same activity can occur through corporate, personal, or unmanaged access routes, the organisation cannot prove ownership or enforce review consistently. Clear identity attribution is the prerequisite for defensible accountability.
👉 Read our full editorial: Identity observability for agentic AI is now an IAM gap