Legacy IT and agentic AI governance: what breaks first?

TL;DR: As AI tools spread across departments, legacy IT becomes a control and visibility bottleneck, with JumpCloud citing that 37% of IT professionals see unauthorized access by automated agents as a serious threat and more than 50% of enterprises say legacy IT slows scaling. Old identity and device foundations no longer match the pace of agentic adoption.

NHIMG editorial — based on content published by JumpCloud: legacy infrastructure, AI adoption, and identity governance in the agentic future

By the numbers:

• 37% of IT professionals view unauthorized access by automated agents as a serious security threat.
• Over 50% of enterprises find legacy IT actively slows their ability to scale.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should security teams govern AI tools and automated agents in legacy environments?

A: Start by treating AI tools and automated agents as identity subjects with scoped access, owners, and review cycles.

Q: Why do legacy systems make AI governance harder for IAM teams?

A: Legacy systems fragment identity, device, and application control, which makes it difficult to see who or what has access at any moment.

Q: What breaks when automated agents have more access than human workers?

A: The main failure is not just overprivilege, it is loss of proportionality.

Practitioner guidance

• Map unmanaged AI and automation entry points Inventory departmental tools, scripted workflows, and AI assistants that can reach production data or applications without central approval.
• Unify identity and device governance Bring user, service account, and AI-access policy into one operational view so security teams can see privilege, device posture, and tool usage together.
• Re-scope non-human permissions to the task boundary Reduce standing access for bots, scripts, and AI-enabled tools to the minimum required for the current function.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• How JumpCloud frames the Work Transformation Set across identity, device, and productivity layers.
• The self-assessment questions used to judge whether current IT foundations are ready for an agentic future.
• The full budgeting guidance on reinvesting software spend into patching and device management.
• The article's discussion of optionality and vendor fallback planning across critical capabilities.

👉 Read JumpCloud’s analysis of legacy IT, AI adoption, and identity risk →

Legacy IT and agentic AI governance: what breaks first?

Explore further

View Full Forum →  |  NHI Foundation Course →