Notifications
Clear all
Topic starter
07/06/2026 8:12 pm
TL;DR: Only 18% of security leaders are highly confident their current IAM systems can manage agent identities, while 23% have a formal strategy and 40% are increasing identity and security budgets to address AI agent risks, according to Strata Identity. The real gap is that autonomous agents expose an identity model built for stable, reviewable access, not runtime decision-making.
NHIMG editorial — based on content published by Strata Identity: Securing Autonomous AI Agents Starts with Identity Governance
By the numbers:
- Only 18% of security leaders are highly confident their current IAM systems can effectively manage agent identities.
- Just 23% of organizations have a formal, enterprise-wide strategy for agent identity management.
- 40% of organizations are increasing their identity and security budgets specifically to address AI agent risks.
Questions worth separating out
Q: How should security teams govern AI agents that use shared credentials today?
A: They should treat shared credentials as a transition risk, not a steady state.
Q: Why do autonomous agents break traditional IAM confidence measures?
A: Traditional IAM confidence measures assume access is stable, attributable, and reviewable over time.
Q: What do security teams get wrong about human-in-the-loop controls for agents?
A: They often assume a manual approval step is the same as governance.
Practitioner guidance
- Replace shared human credentials in agent workflows Inventory every place where agents are using usernames, passwords, API keys, or shared service accounts.
- Create a single owner for each agent class Assign accountable ownership for discovery, policy, audit, and exception handling so security, IT, and AI teams are not making overlapping decisions without a final authority.
- Enforce runtime policy at the resource boundary Place policy enforcement points in front of critical systems so authorisation is checked at the moment of action.
What's in the full report
Strata Identity's full report covers the operational detail this post intentionally leaves for the source:
- Cross-environment authentication patterns for agents running across public cloud, private cloud, and on-premises systems
- Breakdowns of how organisations are using static API keys, passwords, and shared service accounts in agent workflows
- Survey findings on human-in-the-loop checkpoints for sensitive data access, system changes, and financial approvals
- Budget and ownership patterns that show which teams are funding and running agent governance programmes
👉 Read Strata Identity's full report on securing autonomous AI agent identity →
AI agent identity governance: are your controls keeping up?
Explore further
07/06/2026 10:00 pm
Static credential governance was designed for access that stays still long enough to be reviewed. That assumption fails when an autonomous agent can authenticate, act, and move on across multiple environments in one continuous workflow. The implication is not simply that teams need more controls. It is that access-review-centric governance no longer describes the thing being governed.
A few things that frame the scale:
- Only 18% of technology professionals say they are highly confident their current identity systems can effectively handle agent identities, according to the AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable for agent identity governance?
A: Accountability should sit with one named owner for the agent class, supported by security, IT, and platform teams. Fragmented responsibility leads to inconsistent policies, weak audit evidence, and unclear exception handling. The right model is a single accountable chain for identity, access, logging, and lifecycle decisions.
👉 Read our full editorial: AI agent identity governance is outpacing enterprise IAM controls
