Notifications
Clear all
Topic starter
06/06/2026 1:52 am
TL;DR: Gartner’s January 2026 analysis says enterprises are moving from experimental generative AI to autonomous agents, and predicts 50% of all service requests will be initiated by non-human identity customers powered by agentic AI by 2030, according to Oasis Security’s summary of the report. Traditional IAM, PAM, and IGA controls do not handle non-deterministic agent behaviour.
NHIMG editorial — based on content published by Oasis Security: Oasis named in industry analyst report highlighting emerging tech in AI TRISM and agentic AI
By the numbers:
- 13 January 2026., g Tech: Top-Funded Startups in AI TRISM: Agentic AI and Beyond, Mark Wah, David Senf, Tarun Rohilla, 13 January 2026.
Questions worth separating out
Q: How should security teams govern agentic AI identities in enterprise environments?
A: Security teams should govern agentic AI identities as runtime actors, not static accounts.
Q: Why do traditional IAM and PAM controls struggle with autonomous AI agents?
A: Traditional IAM and PAM controls assume access can be granted, reviewed, and removed around a stable identity.
Q: What breaks when shadow AI is not included in identity governance?
A: When shadow AI is excluded, the organisation loses discovery, ownership, and enforcement at the same time.
Practitioner guidance
- Inventory agentic activity across cloud, SaaS, and endpoints Build a discovery process that identifies managed agents, local copilots, and shadow AI before attempting to govern entitlements.
- Move high-risk agent access to session-scoped privilege Require access to be evaluated at request time, provisioned only for the current task, and removed when the session completes.
- Separate agent governance from human IAM workflows Do not apply employee access review and certification patterns unchanged to autonomous systems.
What's in the full analysis
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How Oasis describes its AI Security Posture Management discovery model for cloud, SaaS, and on-premises environments.
- How its agentic access management flow scopes a session identity to a single request and deletes it after completion.
- How the article frames shadow AI discovery through endpoint integrations such as EDR visibility.
- How the source positions its approach against legacy IAM, PAM, and IGA assumptions in more operational detail.
👉 Read Oasis Security’s analysis of the AI TRISM and agentic AI identity gap →
Agentic AI identity gap: what it means for IAM teams?
Explore further
06/06/2026 3:13 am
Agentic AI creates an identity class that legacy governance was not designed to certify. IAM, PAM, and IGA all assume that the subject of control is stable enough to assign, review, and revoke over time. Autonomous agents weaken that assumption because access can be generated, used, and discarded inside the same operational loop. The implication is not simply that controls must become faster, but that the governance model itself has to recognise runtime identity as a distinct class.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree governance is critical to enterprise security.
A question worth separating out:
Q: How do AI agent access reviews differ from human access reviews?
A: AI agent access reviews should focus on runtime behaviour, ownership, and the scope of delegated tool use, not employee lifecycle events. Human reviews assume stable job roles and enduring entitlements. Agent reviews must instead ask whether the agent still exists, whether its tasks changed, and whether the access path is still justified for that specific execution pattern.
👉 Read our full editorial: Agentic AI identity governance exposes the new identity gap
