Notifications
Clear all
Topic starter
09/06/2026 11:11 pm
TL;DR: AI adoption is now mainstream, with 75% of knowledge workers using AI at work and machine identities already outnumbering human identities by more than 80 to 1, according to Microsoft, LinkedIn, and CyberArk. The core issue is not login friction but governance for agents that chain actions, spawn other agents, and outlive human-style review cycles.
NHIMG editorial — based on content published by ConductorOne: The Identity Stack Was Built for Humans. Agents Don't Care
By the numbers:
- 75% of knowledge workers now use AI at work.
- Machine identities already outnumber human identities by more than 80 to 1.
- 90% of organizations experienced at least one identity-related incident in the past year.
Questions worth separating out
Q: What breaks when AI agents inherit human IAM controls?
A: Human IAM controls break because they assume a person makes a request, waits, and can later be reviewed or deprovisioned.
Q: Why do AI agents complicate least privilege in practice?
A: AI agents complicate least privilege because the required scope is often unknown until runtime.
Q: How do security teams know if agent governance is working?
A: Agent governance is working when every task has a clear originator, every tool call is attributable, and every privilege grant has a bounded revocation path.
Practitioner guidance
- Map every agent to a delegated action chain Record the human originator, each downstream agent, the tools called, and the scope passed at each hop.
- Replace coarse roles with task-bounded access Grant access around one job, one system, and one time window rather than around broad engineer-style roles.
- Build revocation paths that target one hop Test whether you can stop a single agent without collapsing the whole workflow.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- A fuller walkthrough of the agent lifecycle failures that break traditional IGA models.
- Examples of how attribution collapses across multi-hop agent delegation chains.
- Operational guidance on visibility, policy, and revocation for agent activity.
- The author's recommended direction for a unified identity graph across humans and agents.
👉 Read ConductorOne's analysis of AI agent identity governance and the human-built stack →
AI agent identity governance: what breaks in existing IAM controls?
Explore further
10/06/2026 1:26 am
Human IAM assumes a person is in the loop, and that assumption is now failing. The article is right to frame the shift as a change in actor behaviour, not just a new tool category. Human identity stacks were tuned for clicks, prompts, and review cycles, while agents call tools and spawn follow-on work without waiting for a manager or a ticket queue. That means the governance model itself is out of sync with the runtime reality. Practitioners should treat this as a control-plane mismatch, not a usability problem.
A few things that frame the scale:
- 90% of organizations experienced at least one identity-related incident in the past year, according to the Ultimate Guide to NHIs.
- Our research also shows that only 5.7% of organizations have full visibility into their service accounts, which is a warning sign for any programme extending governance to AI agents.
A question worth separating out:
Q: What is the difference between agent identity and agency?
A: Agent identity tells you what the system is. Agency tells you what it can do, on whose behalf, with what scope, and for how long. Identity alone is not enough for AI systems that select tools and execute actions at runtime. Practitioners need to govern delegated action, not just authentication state.
👉 Read our full editorial: AI agent identity governance is breaking the human-built stack
