Notifications
Clear all
Topic starter
12/06/2026 10:01 pm
TL;DR: Machine identities now outnumber human employees by 82 to 1, while 59% of employees are using unapproved AI tools and 75% admit to sharing sensitive data with them, according to JumpCloud. The old human-versus-service-account model no longer fits autonomous behaviour, and access governance now has to account for identity that can decide and act at machine speed.
NHIMG editorial — based on content published by JumpCloud: the third face of identity and AI agent risk
By the numbers:
- Machine identities now outnumber human employees by an average of 82 to 1.
- 59% of employees are using unapproved AI tools.
- 75% of them admit to sharing sensitive data with these agents.
Questions worth separating out
Q: How should security teams classify AI agents in identity programmes?
A: Classify by behaviour first.
Q: Why do AI agents complicate least privilege planning?
A: Least privilege depends on knowing the likely action path at provisioning time.
Q: What breaks when shadow AI is not inventoried?
A: Without inventory, the organisation loses visibility into who owns the agent, what data it touches, and how it is retired.
Practitioner guidance
- Inventory autonomous actors separately from service accounts Create a distinct register for AI agents, including owner, data access, tool access, and offboarding path.
- Limit agent authority to task-scoped execution Require explicit task boundaries, read-only by default, and write access only where a human can justify the business need.
- Review shadow AI for data-sharing exposure Search for unapproved AI tools in engineering, marketing, and support workflows, then block sensitive data from flowing into unmanaged agents.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The article's decision tree for deciding when to treat an AI system as a standard NHI, a human-facing workflow, or an autonomous actor.
- The article's comparison of the "service account" and "human" mental models, including the failure modes of each.
- The article's examples of shadow AI and the practical reasons unmanaged agents evade normal identity controls.
- The article's quiz format, which can help teams test how they would govern real-world agent scenarios.
👉 Read JumpCloud's analysis of the third face of identity and AI agent risk →
AI agent identity risk: what IAM teams are missing now?
Explore further
13/06/2026 12:31 am
AI agents expose an assumption collapse in enterprise identity governance: access review was designed for actors whose privilege persists long enough to be observed, certified, and revoked. That assumption fails when the actor can decide and act within a live session, because the governance window no longer matches the execution window. The implication is that review-based IAM alone cannot describe or control agent behaviour.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Another finding from the same research shows that 97% of NHIs carry excessive privileges, which broadens the attack surface and makes over-permissioning the default state.
A question worth separating out:
Q: Who should be accountable for autonomous AI access decisions?
A: Accountability should sit with the business owner who approved the use case, the platform team that issued the credentials, and the identity team that governs access policy. The key is to define ownership before the agent is allowed to act, because post-incident reconstruction is too late to create accountability.
👉 Read our full editorial: AI agents break the human versus service account identity model
