Notifications
Clear all
Topic starter
10/06/2026 12:01 am
TL;DR: AI agents now operate alongside human workers at machine speed, but traditional IAM still assumes stable identities, office-hour behaviour, and human-initiated access, according to JumpCloud. The result is a visibility, accountability, and connectivity gap that makes unified governance a prerequisite, not an optimisation.
NHIMG editorial — based on content published by JumpCloud: AI agent identity governance, shadow AI, and the digital workforce
By the numbers:
- With machine identities now outnumbering humans by a ratio of 17:1, traditional IAM models can no longer accommodate the modern workforce.
Questions worth separating out
Q: How should security teams govern AI agents that act without human input?
A: Security teams should treat AI agents as governed non-human identities with explicit ownership, registration, and revocation paths.
Q: Why do AI agents create a visibility problem for IAM teams?
A: AI agents often appear outside formal onboarding through shadow AI, scripts, or workflow tools, so they never enter the normal identity inventory.
Q: What breaks when organisations try to manage AI agents like human users?
A: What breaks is the assumption that identity follows predictable work hours, fixed sessions, and a stable start and end date.
Practitioner guidance
- Extend discovery beyond directory records Inventory AI agents across browsers, endpoints, scripts, and workflow tools so unmanaged identities are visible before policy design begins.
- Separate human and machine governance paths Apply human IAM controls to people only, then define distinct registration, approval, and revocation paths for AI agents and autonomous workflows.
- Tie every agent to an accountable owner Require a named business and technical owner for each agent so audit trails can answer who authorised it and who is responsible for its actions.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- How JumpCloud frames unified governance for human, NHI, and agentic identities in one workflow
- The article's detailed breakdown of the visibility, management, accountability, and connectivity gaps
- The vendor's explanation of how shadow AI shows up in day-to-day IT operations
- The specific control-plane framing used to position agentic identity management
👉 Read JumpCloud's analysis of AI agent identity governance and shadow AI →
AI agent identity governance: what is your IAM team missing?
Explore further
10/06/2026 2:36 am
AI agent identity governance is now a first-class identity discipline, not an extension of endpoint or automation management. The article describes a workforce where AI agents act alongside people, but the real issue is that those identities are not naturally bounded by human work patterns. That means traditional IAM, PAM, and lifecycle processes need to be evaluated against machine-paced execution, not repurposed by default. Practitioners should treat agent governance as a distinct operating model.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should organisations do when an AI agent's purpose has expired?
A: They should revoke access and remove the agent from the governed inventory as soon as the business purpose ends. If the organisation cannot do that quickly and consistently, it risks creating a Zombie Agent that continues to act long after accountability has disappeared.
👉 Read our full editorial: AI agent identity governance exposes a major IAM mismatch
