TL;DR: AI agents are moving from answer engines to action-taking identities, and JumpCloud argues that traditional deterministic IAM cannot safely govern probabilistic behaviour, especially as teams shift from human JML to instantiate-update-decommission cycles. The core issue is assumption collapse: access reviews and static credential checks assume stable, reviewable privilege, but autonomous agents can change scope and act before those controls catch up.
NHIMG editorial — based on content published by JumpCloud: AI is no longer a futuristic project, it is a core part of how we work
By the numbers:
- 92% of IT leaders say AI already boosts their team’s productivity.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams govern AI agents that can take actions on their own?
A: Security teams should govern AI agents as a separate identity class with named ownership, bounded scope, and task-specific lifecycle controls.
Q: Why do AI agents create problems for least privilege models?
A: AI agents create problems for least privilege because the actor’s intent is not fully knowable at provisioning time.
Q: How can organisations stop AI agents from becoming zombie identities?
A: Organisations should bind every agent to an explicit task, owner, and expiry condition, then force decommission when the task ends or the model changes.
Practitioner guidance
- Define a separate AI agent identity class Create distinct identity records, policies, and ownership for agents instead of folding them into generic machine accounts.
- Replace static JML with agent lifecycle controls Automate instantiate, update, and decommission workflows so every agent has a task-bound start and a forced revocation point.
- Monitor for behavioral drift and scope expansion Continuously compare the agent’s current actions against its declared intent, approved tools, and permitted datasets.
👉 Read JumpCloud's analysis of AI agent identities and lifecycle governance →
AI agent identities and lifecycle governance: what changes now?
Explore further
AI agent identity is not just NHI with better language. The article describes agents that make independent choices at runtime, which moves the problem beyond static workload identity. That difference matters because NHI controls built for fixed scripts do not explain self-directed action sequences. Practitioners should treat this as a separate governance class, not a cosmetic extension of service-account thinking.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- The same survey found that only 44% of organisations have implemented any policies to manage their AI agents, even as 92% agree governance is critical to enterprise security.
A question worth separating out:
Q: What is the difference between managing service accounts and managing AI agents?
A: Service accounts usually follow fixed paths and predictable permissions, while AI agents can choose actions dynamically and adjust their behaviour during execution. That means service-account governance focuses on secrets and entitlements, but agent governance must also cover intent, drift, and task-bounded authority. The difference is behavioural, not just technical.
👉 Read our full editorial: AI agent identity governance needs a new lifecycle model
AI agent identity is not just NHI with better language. The article describes agents that make independent choices at runtime, which moves the problem beyond static workload identity. That difference matters because NHI controls built for fixed scripts do not explain self-directed action sequences. Practitioners should treat this as a separate governance class, not a cosmetic extension of service-account thinking.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- The same survey found that only 44% of organisations have implemented any policies to manage their AI agents, even as 92% agree governance is critical to enterprise security.
A question worth separating out:
Q: What is the difference between managing service accounts and managing AI agents?
A: Service accounts usually follow fixed paths and predictable permissions, while AI agents can choose actions dynamically and adjust their behaviour during execution. That means service-account governance focuses on secrets and entitlements, but agent governance must also cover intent, drift, and task-bounded authority. The difference is behavioural, not just technical.
👉 Read our full editorial: AI agent identity governance needs a new lifecycle model