Notifications
Clear all
Topic starter
06/06/2026 11:32 am
TL;DR: Identity systems built for human-speed access are failing under agentic workloads, with Gartner cited in the source saying 70% of IAM implementations miss expectations, more than half fail the first time, and 99% of service accounts are over-permissioned. The core issue is that agents operate at machine speed, reproduce through delegation, and outgrow quarterly governance models before reviews can catch up.
NHIMG editorial — based on content published by ConductorOne: Three Properties Identity Must Have in the Agentic Era
By the numbers:
- 99% of service accounts are over-permissioned.
- 40% of enterprise applications will embed task-specific agents by the end of 2026.
Questions worth separating out
Q: How should security teams govern AI agents that can create sub-agents?
A: They should govern the delegation chain, not just the initial agent account.
Q: Why do AI agents break traditional IAM review cycles?
A: Traditional IAM review cycles assume access persists long enough to be observed, certified, and removed later.
Q: What should organisations measure to see whether agent identity controls are working?
A: They should measure authorization latency, delegation depth, and how quickly access can be revoked after context changes.
Practitioner guidance
- Map delegation chains before expanding agent access Inventory which humans can approve parent agents, which systems those agents can reach, and where sub-agents inherit permissions.
- Replace periodic review with runtime authorization controls Move the highest-risk agent permissions into continuously evaluated policy so access can be revoked as context changes.
- Separate static workload identities from agentic principals Do not manage AI agents as if they were service accounts with fixed purpose and stable behaviour.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Concrete examples of continuous access evaluation patterns for machine-speed identity decisions.
- The full breakdown of delegation and sub-agent inheritance scenarios that turn one approval into many.
- Architecture detail on how policy-based authorization differs from quarterly certification in practice.
- The source's market context on how platform identity, PAM, and IGA expectations are changing.
👉 Read ConductorOne's analysis of identity control requirements in the agentic era →
AI agent identity governance is breaking old IAM assumptions?
Explore further
06/06/2026 12:23 pm
Constant identity is now a control requirement, not an availability preference. The source makes clear that quarterly reviews and annual certifications were already inadequate for human access, and they collapse completely for agents that make decisions at machine speed. The control assumption that privilege can be observed later fails when actions accumulate before the next review cycle. Practitioners should treat continuous authorization as the baseline for agent governance.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 89% of organisations store secrets outside secret managers in vulnerable locations, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What is the difference between service account governance and agent governance?
A: Service account governance focuses on fixed credentials and stable workloads. Agent governance must also manage runtime decisions, inherited authority, and the ability to spawn further actions. That means lifecycle control, policy evaluation, and revocation need to account for behaviour that changes mid-session, not just for long-lived secrets or static roles.
👉 Read our full editorial: Identity in the agentic era needs constant, omnipresent, adaptable control
