AI agent inventory gaps: what IAM teams need to see now

TL;DR: Enterprise AI agents are already operating at scale, often without review or governance, with Fortune 50 environments showing more than 150,000 agent-tied resources and 82% of those agents built by non-professional developers, according to Zenity. The real issue is not future adoption but unmanaged runtime identity sprawl that makes visibility the prerequisite for control.

NHIMG editorial — based on content published by Zenity: Your AI Agent Inventory Is Incomplete. Here's What That Means for Risk

By the numbers:

• Zenity data shows Fortune 50 organizations carrying attack surfaces with more than 150,000 resources tied to agents and automations.

Questions worth separating out

Q: How should security teams inventory AI agents across SaaS, cloud, and low-code platforms?

A: Security teams should inventory AI agents by linking each connected identity to its owner, permissions, data sources, and execution scope across every platform they touch.

Q: Why do AI agents create more identity risk than ordinary automation?

A: AI agents create more identity risk because they can combine access across multiple systems, invoke APIs, and trigger downstream actions within one session.

Q: What breaks when an AI agent is deployed without formal ownership?

A: When an AI agent has no formal owner, review, offboarding, and incident response all become slower and less reliable.

Practitioner guidance

• Inventory every connected agent and automation Create a live register of all agents, the systems they can reach, the credentials they use, and the business owner accountable for each one.
• Classify agent permissions by business action Map each agent to the data it can read, the APIs it can invoke, and the workflows it can trigger so that scope is measured in outcomes, not just entitlements.
• Attach lifecycle triggers to agent credentials Require offboarding, review, and revalidation triggers for every agent secret or token so credentials do not survive project abandonment or ownership change.

What's in the full article

Zenity's full article covers the operational detail this post intentionally leaves for the source:

• How Zenity identifies hidden agents and categorises them into sanctioned, misconfigured, and unknown populations.
• The specific enterprise examples behind the 150,000-resource and 2,000-agent figures.
• The remediation outcomes Zenity reports from assigning ownership and automating high-risk violation handling.
• The board-level roadmap content bundled in the downloadable CISO guide.

👉 Read Zenity's analysis of incomplete AI agent inventory and enterprise risk →

AI agent inventory gaps: what IAM teams need to see now?

Explore further

View Full Forum →  |  NHI Foundation Course →