Agentic IT governance: what IT teams are missing in practice

TL;DR: AI agents are already in production at 72% of organisations, yet 92% report limits to safely scaling them, according to JumpCloud's Agentic IAM Pulse Report. The gap is not agent capability but governance depth: without formal identity records, revocation paths, and policy enforcement, agentic IT expands risk as fast as it reduces routine work.

NHIMG editorial — based on content published by JumpCloud: agentic IT governance and the shift from shadow AI to governed AI

By the numbers:

• 92% of organizations reported limits to safely scaling their use of AI agents.
• 72% are already running AI agents in production.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should organisations govern AI agents that perform routine IT work?

A: Treat each agent as a non-human identity with an owner, a defined permission set, and a lifecycle.

Q: Why do AI agents create governance risk even when the tasks are predictable?

A: Predictable tasks do not eliminate identity risk.

Q: What breaks when AI agents are deployed without formal identity records?

A: Access reviews become incomplete, revocation becomes uncertain, and ownership becomes ambiguous.

Practitioner guidance

• Register every AI agent as a managed identity Create a formal identity record for each agent, including owner, scope, permissions, and lifecycle state before it is allowed into production workflows.
• Bind access to explicit policy boundaries Define what each agent can read, change, approve, or provision, and keep those permissions narrower than the human role the agent supports.
• Add revocation to the agent lifecycle Ensure offboarding, owner changes, and scope changes trigger immediate access removal or re-approval, not a later review cycle.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• A four-stage model for moving from shadow AI to governed AI inside Google Workspace and Gemini Enterprise.
• The operational split between what the agent can do and what the identity layer allows it to do.
• Examples of how onboarding, compliance evidence, support, and discovery workflows are delegated to governed agents.
• The article's view of how leadership time shifts from routine approvals to governance summaries.

👉 Read JumpCloud's analysis of agentic IT governance and governed AI →

Agentic IT governance: what IT teams are missing in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →