AI agents and the zero trust governance gap for IAM teams

TL;DR: AI agents are no longer behaving like scripted automation, and JumpCloud’s article argues that identity and access controls must shift from static trust assumptions to supervised, task-scoped governance. That matters because 61% of organisations report unsanctioned AI use, while perceived AI maturity still outpaces real readiness by 18 points.

NHIMG editorial — based on content published by JumpCloud: Zero Trust for AI and the trust trap in autonomous work

By the numbers:

• 61% of organizations report the unsanctioned use of AI tools, creating a sprawling network of Shadow AI.
• Only 22% qualify as fully ready to govern AI at scale, even though 40% of organizations consider themselves AI mature.
• The gap between perceived AI maturity and objective readiness is 18 points.

Questions worth separating out

Q: What breaks when AI agents are governed like scripts or service accounts?

A: What breaks is the assumption that access can be defined once and then safely reused.

Q: Why do AI agents complicate zero trust governance for IAM teams?

A: AI agents complicate zero trust because the trust question shifts from who authenticated to what the actor is doing right now.

Q: How do security teams know whether AI agent governance is actually working?

A: They know it is working when agents stay within tightly bounded tasks, high-risk actions still require human approval, and unsanctioned AI use is being discovered rather than ignored.

Practitioner guidance

• Define separate governance paths for human, machine, and AI identities Classify each actor before assigning controls so that authentication, rotation, lifecycle review, and supervision match the actual identity type rather than the workflow label.
• Issue task-scoped identities for each AI agent Avoid shared or general admin access.
• Require human approval for high-impact agent actions Set explicit approval gates for actions that delete, move, or change production data, and make sure the agent can prepare work but not complete irreversible steps unauthorised.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• Practical examples of the three identity categories and how they differ in day-to-day governance
• The full Zero Trust for AI framework, including supervised autonomy and probationary access
• JumpCloud's assessment language for evaluating AI readiness across your organisation
• The article's explanation of the 'digital intern' model for scoping agent permissions

👉 Read JumpCloud's analysis of zero trust governance for AI agents →

AI agents and the zero trust governance gap for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →