Notifications
Clear all
Topic starter
09/06/2026 11:24 pm
TL;DR: AI agent adoption has surged to more than 3 million agents globally, with thousands created every week and 144 non-human identities for every human user, according to JumpCloud’s source article citing SACR and Stanford Graduate School of Business research. The governance gap is structural: legacy IAM was built for humans and deterministic machine identities, not autonomous actors that decide and act at runtime.
NHIMG editorial — based on content published by JumpCloud: AI agent identity risk and runtime governance
By the numbers:
- Modern organizations now run roughly 144 non-human identities (NHIs) for every single human user.
Questions worth separating out
Q: How should security teams govern AI agents that can act at runtime?
A: Treat AI agents as live identities rather than static accounts.
Q: Why do AI agents complicate existing IAM and PAM controls?
A: Because many IAM and PAM controls assume access is stable long enough to be reviewed, certified, or revoked after the fact.
Q: What breaks when shadow AI is not discovered early?
A: Teams lose sight of which agents exist, what they can reach, and which credentials they use.
Practitioner guidance
- Map every active AI agent to an accountable owner Create an authoritative register that binds each agent to a human owner, trusted device, purpose, and approved scope.
- Inventory MCP servers and tool connections Document every MCP server, API, SaaS app, and agent-to-agent path an agent can reach, then remove any connection that is not required for the stated use case.
- Replace static credentials with time-limited tokens Eliminate permanent secrets wherever agents authenticate to enterprise systems.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- How JumpCloud structures the discover, register, manage, and govern lifecycle for AI agents in practice.
- The article’s device-trust and real-time authorisation examples for blocking unmanaged agent actions.
- JumpCloud’s framing of MCP security as a distinct control surface for tool-connected agents.
- The source’s discussion of continuous audit trails and legal accountability for AI activity.
👉 Read JumpCloud’s analysis of AI agent identity governance and runtime controls →
AI agent governance: are your controls keeping up?
Explore further
10/06/2026 1:43 am
AI agent governance exposes a runtime identity problem, not just a discovery problem. The article correctly shows that visibility is only the first layer. Once an agent can decide when to act, what tool to call, and how to chain operations, IAM must govern runtime behaviour rather than static enrolment alone. The implication is that agent identity cannot be treated as a one-time registration event; it becomes a live governance object.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- That same research says only 44% have implemented any policies to govern AI agents, even though 92% agree the problem is critical to enterprise security.
A question worth separating out:
Q: How can organisations decide whether an AI agent is over-scoped?
A: Compare the agent’s actual connection paths, data reach, and observed tool sequence with its stated purpose. If the agent can aggregate, relay, or export data outside the minimal task scope, it is over-scoped even if initial login was authorised. Scope should be measured at execution, not only at provisioning.
👉 Read our full editorial: AI agent identity risk is outpacing legacy IAM controls
