AI agent identity governance: what IAM teams need to change

TL;DR: AI agents are already operating inside production environments, but 68% of organisations cannot clearly distinguish agent actions from human actions and nearly three-quarters say agents are granted more access than required, according to Aembit and the Cloud Security Alliance survey. The real issue is not logging alone: identity, access, and accountability are no longer aligned to the actor actually taking the action.

NHIMG editorial — based on content published by Aembit: AI agent identity and access in enterprise environments

By the numbers:

• Based on a survey of more than 200 organizations, the findings point to a clear gap between how access is granted and how it is actually used once agents are introduced.

Questions worth separating out

Q: How should security teams govern AI agents that reuse human or service account identities?

A: Security teams should give AI agents distinct identities and task-scoped access instead of reusing human credentials or shared service accounts.

Q: Why do AI agents complicate least privilege in IAM programmes?

A: AI agents complicate least privilege because they often inherit permissions from the identities they use, rather than receiving access designed for their own task boundary.

Q: What breaks when AI agents and humans share the same access model?

A: When AI agents and humans share the same access model, organisations lose clean attribution, stronger approval boundaries, and reliable review evidence.

Practitioner guidance

• Separate agent identities from human identities Create dedicated identities for AI agents so their actions, sessions, and audit trails are not blended with user activity or shared workload accounts.
• Scope access to the agent's actual request Replace inherited permission patterns with access defined at the point of request, using the narrowest entitlements needed for the specific action sequence.
• Review shared service accounts for agent use Find where agents are operating under human credentials, shared service accounts, or workload identities, then map each case to a distinct owner and purpose.

What's in the full report

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• Survey methodology and respondent breakdown from more than 200 organisations, useful for benchmarking your own programme.
• The specific control patterns teams are using to separate agent identity from human identity in production environments.
• How organisations are combining behaviour monitoring, manual approval, token revocation, and environment termination to contain risky agent activity.
• The full survey framing on where access governance breaks down once agents begin inheriting permissions from parent identities.

👉 Read Aembit's analysis of AI agent identity and access governance →

AI agent identity governance: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →