AI agent identity risk and the governance gap teams are missing

TL;DR: Browser-native AI and autonomous agents are pushing organizations toward a third identity class, while more than 99% of organizations are already moving ahead with AI initiatives and many still rely on fragmented, legacy security controls, according to JumpCloud. Reactive blocking drives usage underground; the real control problem is governed visibility, not prohibition.

NHIMG editorial — based on content published by JumpCloud: AI agent identity, unification, and the move beyond reactive blocking

By the numbers:

• Over 99% of organizations are already moving forward with AI initiatives.
• The 2026 Infrastructure Identity Survey found that 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern AI agent identity in enterprise environments?

A: Security teams should govern AI agents as distinct actors with scoped entitlements, session-level visibility, and explicit lifecycle controls.

Q: Why does blocking AI access often make governance worse?

A: Blocking often makes governance worse because users route around restrictions and move into shadow AI, where security teams lose visibility and auditability.

Q: What do organisations get wrong about least privilege for AI agents?

A: They often define least privilege from a static role description instead of the agent’s actual runtime behaviour.

Practitioner guidance

• Define a separate governance model for AI agents Map AI agents as distinct governed actors with their own lifecycle, session controls, and entitlement boundaries instead of reusing human or service-account templates.
• Replace reactive blocking with approved access paths Create sanctioned workflows for AI use that include logging, policy checks, and data handling controls so employees do not move to shadow AI tools outside identity visibility.
• Converge identity and access controls into one plane Bring human, machine, and agent access telemetry into a single operational view so least privilege can be enforced across the same data and tool set.

What's in the full article

JumpCloud's full blog covers the operational detail this post intentionally leaves for the source:

• How the vendor frames a unified control plane for AI, human, and machine identities in day-to-day operations
• The specific guardrail model used to distinguish governed AI access from shadow AI behaviour
• The article's full roadmap for moving from reactive blocking to approved, trackable AI use
• Additional implementation context around integrating identity, device, and access controls

👉 Read JumpCloud's analysis of AI agent identity and unified governance →

AI agent identity risk and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →