Notifications
Clear all
Topic starter
03/06/2026 11:02 am
TL;DR: Akeyless and MRA Research surveyed 400 IT and security leaders and found that 94% already use AI agents, 85% say those agents can access sensitive data, and more than two-thirds suspect agents have gone beyond intended scope. The identity model built for human sessions and static workloads is breaking under continuous, delegated, machine-speed access, and that assumption collapse is now the governance problem.
NHIMG editorial — based on content published by Akeyless: AI agent identity security survey findings and implications
By the numbers:
- 94% of organizations report some level of AI agent use today, with more than half saying they are deployed broadly across multiple parts of the business.
- Only 44% of organizations say they know where all the credentials or secrets used by AI agents are stored.
Questions worth separating out
Q: How should security teams govern AI agent access in enterprise environments?
A: Security teams should treat AI agent access as runtime governed identity, not as a one-time provisioning event.
Q: Why do AI agents complicate existing IAM and PAM controls?
A: AI agents complicate IAM and PAM because they often inherit delegated credentials, operate across multiple systems, and keep acting after the initial approval moment has passed.
Q: What breaks when AI agents rely on long-lived secrets and tokens?
A: Long-lived secrets create durable access paths that survive task completion, code changes, and even vendor compromise.
Practitioner guidance
- Inventory every AI agent credential path Map API keys, OAuth grants, service accounts, static secrets, and workflow bindings to each agent, then record where each credential is stored and who can rotate it.
- Replace standing agent access with ephemeral credentials Move AI agents off long-lived secrets where possible and constrain remaining credentials to the narrowest task scope and shortest feasible lifetime.
- Enforce runtime policy on agent actions Apply policy at the moment the agent calls tools or accesses data, rather than relying on pre-approval alone.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the practical signal is that delegated access is still being expanded faster than it can be governed?
👉 Read Akeyless's survey on AI agent identity security and runtime access risk →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
03/06/2026 11:05 am
AI agent identity security is becoming a runtime governance problem, not a provisioning problem. The survey shows that AI agents are already in core business systems, but organisations are still trying to govern them with identity models built for humans and static workloads. That mismatch is visible in the low confidence levels, the heavy use of persistent credentials, and the widespread bypass of IAM controls. The practitioner conclusion is that access control has moved from setup to continuous execution.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which means delegated access is still being governed with partial sight.
A question worth separating out:
Q: Who is accountable when a compromised AI agent misuses delegated access?
A: Accountability usually spans the business owner of the workflow, the team that issued or approved the credential, and the vendor if a third-party integration was involved. The critical governance question is not who logged in, but who allowed the delegation chain to exist and remain valid. That chain must be documented before incidents occur.
👉 Read our full editorial: AI agent identity security is outgrowing human IAM controls
