Notifications
Clear all
Topic starter
07/06/2026 7:55 pm
TL;DR: Enterprises are adding AI agents, service accounts, and machine identities faster than legacy IAM can coordinate them, with some organisations reporting 1 to 17 AI agents per employee and 12 or more identity products in use, according to ConductorOne. The real failure is orchestration, because fixed reviews and siloed controls cannot keep pace with machine-speed delegation chains and continuous privilege changes.
NHIMG editorial — based on content published by ConductorOne: Access Management Needs a Conductor, Not More Instruments
By the numbers:
- The average enterprise runs 12 or more discrete identity products.
- Companies report between 1 and 17 AI agents per employee today.
- 40% of enterprise applications will embed task-specific agents by end of 2026.
Questions worth separating out
Q: How should security teams govern AI agents and service accounts together?
A: Security teams should govern AI agents and service accounts through one orchestration layer that tracks sponsor, delegation, and revocation across every dependent identity.
Q: Why do periodic access reviews fail for agent-heavy environments?
A: Periodic reviews fail because they assume access remains stable long enough to be sampled and certified.
Q: What breaks when identity tools are strong but not coordinated?
A: What breaks is the enterprise decision chain.
Practitioner guidance
- Inventory orchestration gaps across identity tools Trace how changes move between IAM, PAM, governance, secrets, and agent controls.
- Model delegation chains for every sponsored agent Document the human sponsor, primary agent, and any sub-agents that inherit access or trigger downstream actions.
- Replace periodic reviews with event-driven decisions Use continuous authorization for high-risk machine identities, especially when agents authenticate frequently or can access production data and privileged workflows.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- How the orchestration layer maps across IAM, PAM, governance, and agent identity products.
- The article's deeper examples of policy-as-code and continuous authorization in live environments.
- The vendor's framing of identity fabric and Cybersecurity Mesh Architecture as coordination patterns.
- Additional context on the market signals behind orchestration and composable identity.
👉 Read ConductorOne's analysis of access orchestration for AI agents and identity tools →
AI agent identity governance: why the orchestration gap is widening?
Explore further
07/06/2026 9:40 pm
Access orchestration is now the missing identity governance layer: The article is right that enterprises do not primarily lack identity tools. They lack a mechanism that synchronises those tools across human, machine, and agentic actors in real time. That is why the same environment can be well controlled at the component level and still fail at the system level. The practitioner conclusion is that architecture, not product count, is now the governance issue.
A few things that frame the scale:
- The average enterprise runs 12 or more discrete identity products, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means orchestration failures often begin with incomplete inventory.
A question worth separating out:
Q: What is the difference between orchestration and having more identity tools?
A: More identity tools add capability, but orchestration makes those capabilities work together as one control plane. Orchestration coordinates timing, signal propagation, and policy interpretation across systems. Without it, the environment becomes harder to govern even if each product performs well on its own.
👉 Read our full editorial: Access management at AI speed needs orchestration, not more tools
