TL;DR: Autonomous AI agents are acting fast while organisations still struggle with visibility, policy, and accountability across identity systems, according to Strata Identity’s CSA Survey Report 2026. Existing IAM models were built for access that can be reviewed later, but autonomous behaviour compresses that window and breaks the assumptions behind governance.
NHIMG editorial — based on content published by Strata Identity: Agentic Identity, Securing Autonomous AI Agents
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should organisations govern AI agents that can make runtime decisions?
A: Governance should move from static entitlement review to runtime control of what the agent may do, which tools it may use, and when escalation is required.
Q: Why do autonomous AI agents create more risk than ordinary service accounts?
A: Service accounts usually act within a fixed purpose, while autonomous agents can re-order tasks, select tools, and expand their own execution path.
Q: What breaks when access reviews are used for AI agent governance?
A: Access reviews break when the important question is not whether an account exists, but what the agent did between review cycles.
Practitioner guidance
- Define agent-specific approval boundaries Document which actions an AI agent may initiate without human intervention, which actions require pre-approval, and which actions must always fail closed when context changes.
- Bind agent identity to tool-level scope Model each agent against the exact tools, data sources, and downstream systems it can reach, then remove broad platform-level entitlements that hide overreach.
- Instrument decision lineage for audit Capture the agent’s action sequence, tool selection, and delegation path so investigators can reconstruct why a request happened, not just that it happened.
What's in the full report
Strata Identity's full whitepaper covers the operational detail this post intentionally leaves for the source:
- The underlying survey framing behind the state of multi-cloud identity research and how the agentic identity section fits into the wider report
- The full whitepaper structure around identity fabric, orchestration, and modernization topics beyond the agentic AI section
- The vendor's own research context on tech debt, talent gaps, lock-in, visibility, and IDP outages across multi-cloud identity programmes
👉 Read Strata Identity's whitepaper on agentic identity and autonomous AI agents →
Autonomous AI agents and identity control gaps for IAM teams?
Explore further
Agentic identity governance is not just NHI governance with a new label. AI agents bring runtime discretion into the identity layer, which means the subject is no longer simply a credentialed workload executing a known job. The governance problem shifts from provisioning an account to constraining an actor that can choose its own sequence of actions. Practitioners need to treat this as a distinct control domain, not a repackaged service-account problem.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory becomes when machine identities scale faster than governance.
A question worth separating out:
Q: Who should be accountable when an AI agent exceeds its intended scope?
A: Accountability should sit with the function that approved the agent’s operating boundaries and owns its lifecycle, not with the audit team after the fact. If an agent can act without a human gate, organisations need a clear owner for provisioning, monitoring, revocation, and incident response across the full delegated path.
👉 Read our full editorial: Agentic identity and autonomous AI agents expose IAM blind spots
Agentic identity governance is not just NHI governance with a new label. AI agents bring runtime discretion into the identity layer, which means the subject is no longer simply a credentialed workload executing a known job. The governance problem shifts from provisioning an account to constraining an actor that can choose its own sequence of actions. Practitioners need to treat this as a distinct control domain, not a repackaged service-account problem.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory becomes when machine identities scale faster than governance.
A question worth separating out:
Q: Who should be accountable when an AI agent exceeds its intended scope?
A: Accountability should sit with the function that approved the agent’s operating boundaries and owns its lifecycle, not with the audit team after the fact. If an agent can act without a human gate, organisations need a clear owner for provisioning, monitoring, revocation, and incident response across the full delegated path.
👉 Read our full editorial: Agentic identity and autonomous AI agents expose IAM blind spots