Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agents and identity controls: what IAM teams should recheck


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: 91% of surveyed organisations are already using AI agents, underscoring how access tooling is being pulled into AI workflow governance, according to 1Password and Okta; Okta’s 2026 Businesses at Work report shows 1Password grew 370% year over year in technology. The real issue is not adoption alone, but that existing identity models were built for stable users and struggle with shadow AI, over-privileged agents, and weak auditability.

NHIMG editorial — based on content published by 1Password: AI agent growth, Unified Access, and identity security for the modern enterprise

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can access multiple tools?

A: They should govern AI agents as identities with explicit runtime boundaries, not as ordinary automation.

Q: Why do AI agents create more identity risk than standard automation?

A: Because standard automation usually follows a fixed script, while AI agents can choose actions, tools, and timing within a live workflow.

Q: What breaks when employees use unapproved AI tools with company data?

A: Governance breaks because the organisation loses visibility into where data and secrets are going, who can access them, and how they are being reused.

Practitioner guidance

  • Map AI agent access paths end to end Document where agents obtain credentials, which tools they can call, and which data sources they can reach.
  • Separate approved AI workflows from shadow AI use Inventory employee-facing AI tools, extensions, and workflow helpers that can access company data.
  • Require per-action audit evidence for agent operations Capture which identity initiated the session, which policy allowed the action, what tool was used, and whether a human approved the step.

What's in the full analysis

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • How 1Password positions Unified Access across humans, agents, and machine identities in enterprise workflows
  • The specific AI Agent Security Benchmark context behind the company’s product narrative and rollout
  • Details on just-in-time credential access for agents and secrets management for AI builders
  • The way 1Password connects EPM and SaaS Manager to shadow IT and AI access management

👉 Read 1Password’s analysis of AI agent identity growth and access governance →

AI agents and identity controls: what IAM teams should recheck?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

AI agents are becoming a distinct identity governance class, not just a new workload type. The article shows why agentic systems cannot be managed through human IAM assumptions alone. When access is assembled dynamically across tools and data sources, the security problem shifts from login to runtime authority. Practitioners should treat agent identity as its own governance surface, covered by OWASP-NHI and Zero Trust principles, not folded into generic automation.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: How do IAM teams prepare for humans, agents, and machine identities together?

A: They should unify policy, discovery, and access review across all three identity classes. The programme needs a shared inventory of identities, a common view of privileges, and consistent offboarding for credentials and sessions. For mixed environments, the control objective is one governance model with different rules by actor type, not three disconnected programmes.

👉 Read our full editorial: AI agent adoption is reshaping enterprise identity controls



   
ReplyQuote
Share: