Autonomous AI agents and identity control gaps for IAM teams

TL;DR: Autonomous AI agents are acting fast while organisations still struggle with visibility, policy, and accountability across identity systems, according to Strata Identity’s CSA Survey Report 2026. Existing IAM models were built for access that can be reviewed later, but autonomous behaviour compresses that window and breaks the assumptions behind governance.

NHIMG editorial — based on content published by Strata Identity: Agentic Identity, Securing Autonomous AI Agents

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should organisations govern AI agents that can make runtime decisions?

A: Governance should move from static entitlement review to runtime control of what the agent may do, which tools it may use, and when escalation is required.

Q: Why do autonomous AI agents create more risk than ordinary service accounts?

A: Service accounts usually act within a fixed purpose, while autonomous agents can re-order tasks, select tools, and expand their own execution path.

Q: What breaks when access reviews are used for AI agent governance?

A: Access reviews break when the important question is not whether an account exists, but what the agent did between review cycles.

Practitioner guidance

• Define agent-specific approval boundaries Document which actions an AI agent may initiate without human intervention, which actions require pre-approval, and which actions must always fail closed when context changes.
• Bind agent identity to tool-level scope Model each agent against the exact tools, data sources, and downstream systems it can reach, then remove broad platform-level entitlements that hide overreach.
• Instrument decision lineage for audit Capture the agent’s action sequence, tool selection, and delegation path so investigators can reconstruct why a request happened, not just that it happened.

What's in the full report

Strata Identity's full whitepaper covers the operational detail this post intentionally leaves for the source:

• The underlying survey framing behind the state of multi-cloud identity research and how the agentic identity section fits into the wider report
• The full whitepaper structure around identity fabric, orchestration, and modernization topics beyond the agentic AI section
• The vendor's own research context on tech debt, talent gaps, lock-in, visibility, and IDP outages across multi-cloud identity programmes

👉 Read Strata Identity's whitepaper on agentic identity and autonomous AI agents →

Autonomous AI agents and identity control gaps for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →