AI agent identity risk is outpacing enterprise controls

TL;DR: A 2026 study of 400 IT and security leaders found that 67% suspect AI agents have accessed data beyond their intended scope, while detection takes 14 hours on average and more than $1 million has already been spent managing fallout, according to Akeyless. Static credentials and human-paced IAM controls are no match for runtime agent behaviour, making governance the real control problem.

NHIMG editorial — based on content published by Akeyless: Global study shows most organizations cannot detect compromised AI agents for hours, and are already spending over $1 million managing the fallout

By the numbers:

• 67% suspect AI agents have already accessed data beyond their intended scope
• It takes an average of 14 hours to detect a compromised AI agent
• Only 7% believe their controls would prevent a compromised agent from operating

Questions worth separating out

Q: What breaks when AI agents keep long-lived credentials?

A: Long-lived credentials let AI agents keep operating after the moment of risk has passed, which makes containment and accountability much harder.

Q: Why do AI agents complicate least privilege in practice?

A: AI agents complicate least privilege because their actions are not fully known when access is assigned.

Q: How do security teams know if AI agent controls are working?

A: Controls are working only if they can stop or narrow agent behaviour while the session is still active.

Practitioner guidance

• Inventory every AI agent identity and its credential type Map where agents use API keys, static secrets, or delegated tokens, then record which systems each identity can reach in production and non-production environments.
• Shorten credential lifetime at the point of execution Replace persistent access with ephemeral identities issued only for the task being executed, and revoke access immediately after the workflow completes.
• Test for runtime access drift, not just entitlement drift Run reviews against actual agent behaviour to see whether a valid identity can reach systems, data sets, or workflows beyond the intended scope.

What's in the full report

Akeyless' full report covers the operational detail this post intentionally leaves for the source:

• Survey methodology across 400 IT and security leaders in the United States and United Kingdom.
• The breakdown of where AI agent credentials are stored and how often they are rotated or revoked.
• The full response workflow for organisations that said they spent more than $1 million on AI agent identity and security issues.
• Additional commentary on runtime identity controls and forensic auditability for AI agents, machines, and human access.

👉 Read Akeyless’ report on AI agent identity security findings →

AI agent identity risk is outpacing enterprise controls?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →