Notifications
Clear all
Topic starter
12/06/2026 9:42 pm
TL;DR: AI agents created by employees can keep running after offboarding, leaving organisations with no centralized shutdown path, no inventory, and no agent offboarding protocol, according to JumpCloud. That is not a tooling gap alone; it is a workforce definition failure that makes human lifecycle controls incomplete for autonomous systems.
NHIMG editorial — based on content published by JumpCloud: Zombie Agents and the new lifecycle problem for AI workers
By the numbers:
- 55% of organizations lack a centralized way to shut down an AI agent if it goes rogue or if its human owner leaves the company.
Questions worth separating out
Q: What breaks when AI agents are not included in offboarding?
A: When AI agents are excluded from offboarding, they can keep accessing data and systems after the human owner leaves.
Q: Why do autonomous agents complicate workforce lifecycle governance?
A: Autonomous agents complicate lifecycle governance because they can act independently of the person who created them.
Q: How do security teams know if an agent is still properly governed?
A: Security teams should look for an inventoried owner, a defined business purpose, a revocation path, and a current access review record.
Practitioner guidance
- Inventory every deployed agent at onboarding Require managers to register any agent created for analysis, reporting, or outreach as part of role setup, with a named owner, business purpose, and shutdown path.
- Bind agent privilege to the responsible human Set policy so an agent can never exceed the authority of the employee accountable for it, and review that mapping whenever duties change.
- Add agent shutdown to the offboarding checklist Make deprovisioning include every agent, workflow, token, and data connector the departing employee deployed or administered, with security validation before case closure.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The manager-to-agent ownership model and how JumpCloud suggests mapping digital workers to accountable humans.
- The specific onboarding, in-life, and offboarding steps JumpCloud proposes for an agentic workforce.
- The HR, IT, and Security operating split the article uses to explain where lifecycle responsibility should sit.
- The practical blueprint for treating AI agents as governed workforce entities rather than invisible automations.
👉 Read JumpCloud’s analysis of Zombie Agents and hybrid workforce governance →
Zombie agents and offboarding gaps: what IAM teams are missing?
Explore further
12/06/2026 11:57 pm
Zombie agents expose a lifecycle definition failure, not just a control gap. The article is right to frame the issue as a workforce governance problem, because organisations already know how to offboard humans but not the digital workers they create. The missing premise is simple: identity programmes still assume that when the employee exits, the work stops. Practitioners need to treat agent presence as a first-class lifecycle object, not an incidental automation artifact.
A few things that frame the scale:
- 55% of organizations lack a centralized way to shut down an AI agent if it goes rogue or if its human owner leaves the company, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- In the same research, 91% of former employee tokens remain active after offboarding, which shows how often lifecycle control fails at the point where accountability should end.
A question worth separating out:
Q: Who is accountable when a zombie agent remains active after an employee leaves?
A: Accountability should sit with the business owner, but enforcement must be shared across HR, IT, and Security. HR defines the workforce event, IT removes access paths, and Security verifies the agent is no longer active. If those functions are split, the organisation will usually discover the problem only after the agent has already outlived the employee.
👉 Read our full editorial: Zombie agent governance is the next offboarding problem
