AI agent governance: what IAM teams are missing

TL;DR: Unapproved AI tools are already widespread, with 61% of organisations encountering unsanctioned or unmonitored use, according to JumpCloud research, while breaches involving unmanaged applications add an average of $670,000 and 97% lack basic access controls. The real gap is governance, not experimentation, and it spans IT, security, and legal ownership.

NHIMG editorial — based on content published by JumpCloud: The AI Mandate, securing autonomous agents before they secure you

By the numbers:

• 61% of organizations report encountering unsanctioned or unmonitored use of AI tools by employees.
• 97% of these breaches involve a complete lack of basic access controls.

Questions worth separating out

Q: How should security teams govern AI agents that can access company tools and data?

A: Security teams should treat AI agents as governed identities, not as informal automation.

Q: Why do unsanctioned AI tools create so much identity risk?

A: Unsanctioned AI tools bypass the directory, policy, and audit paths that make identity governance work.

Q: What do teams get wrong about least privilege in AI workflows?

A: Teams often apply least privilege only at account creation, then forget that AI workflows can call multiple tools and inherit broader access through tokens or delegated permissions.

Practitioner guidance

• Define a sanctioned AI access path Require employees to use approved AI tools that inherit directory-backed identity, logging, and policy enforcement before they can touch company data.
• Assign every AI agent a named owner Register each automated agent with a business owner, technical custodian, and review cadence so accountability survives turnover and reuse.
• Restrict token scope and lifetime Limit app tokens and delegated credentials to the narrowest task scope possible, and remove standing access wherever sessions can be made shorter.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• Role-specific guidance for IT, security, and legal teams that explains who owns each part of the AI governance process
• Operational examples of how approved sandboxes and dynamic identity controls are meant to contain AI tool risk
• The full incident discussion behind the Replit and Drift examples, including the governance lessons drawn from each case
• Practical policy language for acceptable use, data handling, and accountability expectations across AI workflows

👉 Read JumpCloud's analysis of AI governance roles, risk, and shadow AI →

AI agent governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →