TL;DR: AI agents and automation are already expanding client risk surfaces, with JumpCloud describing digital identities that can access systems, handle sensitive tasks, and create damage in seconds if unmanaged. The governance problem is no longer just passwords or endpoints, but machine-speed access, accountability, and lifecycle control that current IAM models were not built to absorb.
NHIMG editorial — based on content published by JumpCloud: agentic identities and MSP AI readiness
By the numbers:
- 58% of clients want their MSP to help shape big-picture tech planning, including AI.
- 46% of today’s IT professionals are now making AI readiness a top priority.
- 94% of IT leaders see AI as a top risk for their organizations.
Questions worth separating out
Q: How should security teams govern agentic identities in client environments?
A: Security teams should govern agentic identities like a distinct non-human identity class with named ownership, scoped permissions, and continuous logging.
Q: Why do agentic identities create more risk than ordinary automation?
A: Agentic identities create more risk because they can act continuously, make decisions at runtime, and execute work at machine speed.
Q: What breaks when agentic identities are reviewed like human users?
A: Human-style access reviews break because they assume the subject is observable on a schedule and can be certified in a stable state.
Practitioner guidance
- Inventory every agentic identity separately from human users Create a distinct register for AI-powered agents, bots, and automations, including owner, purpose, permissions, data access, and downstream systems.
- Bind access to explicit business lifecycle events Provision agent access only for a documented use case, review it when the workflow changes, and revoke it when the task or client engagement ends.
- Extend monitoring to agent actions, not just sessions Log the agent’s delegated scope, actions taken, and target systems touched so you can attribute behaviour after the fact.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- Packaging ideas for MSPs that want to offer agentic identity management as a recurring service.
- Tiered service concepts that separate basic monitoring from policy design, threat detection, and response.
- Practical reporting and client communication angles for explaining AI readiness and identity governance.
- Guidance on positioning AI identity management alongside existing cybersecurity and compliance services.
👉 Read JumpCloud's blog post on agentic identities and MSP AI readiness →
Agentic identities for MSPs: what changes for client governance?
Explore further
Agentic identities are an NHI governance problem before they are an AI problem. The article describes agents, bots, and automation that act on behalf of a business, which places them squarely in non-human identity territory. That matters because the same controls used for service accounts, API keys, and tokens now have to govern software actors that move faster and change behaviour more often. Practitioners should treat agentic access as a governed identity class, not a feature of AI deployment.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
A question worth separating out:
Q: Who is accountable when an AI agent causes a security incident?
A: Accountability should sit with the team that approved the agent’s access, defined its scope, and owns its operating policy. In an MSP model, that often means both the provider and the client have responsibilities that must be documented in advance. If ownership is vague, incident response becomes a dispute instead of a control process.
👉 Read our full editorial: Agentic identities are reshaping MSP client security models
Agentic identities are an NHI governance problem before they are an AI problem. The article describes agents, bots, and automation that act on behalf of a business, which places them squarely in non-human identity territory. That matters because the same controls used for service accounts, API keys, and tokens now have to govern software actors that move faster and change behaviour more often. Practitioners should treat agentic access as a governed identity class, not a feature of AI deployment.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
A question worth separating out:
Q: Who is accountable when an AI agent causes a security incident?
A: Accountability should sit with the team that approved the agent’s access, defined its scope, and owns its operating policy. In an MSP model, that often means both the provider and the client have responsibilities that must be documented in advance. If ownership is vague, incident response becomes a dispute instead of a control process.
👉 Read our full editorial: Agentic identities are reshaping MSP client security models