Notifications
Clear all
Topic starter
15/05/2026 7:34 pm
TL;DR: Identity security now sits at the centre of strategy for more than 95 percent of leaders, while non-human identities and AI agents can outnumber human accounts by more than 100 to 1, according to Omada Identity's State of Identity Governance 2026 discussion. The governance gap is no longer about awareness; it is about risk-based control, continuous evaluation, and ownership.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 95 percent of leaders now treat identity security, y security as core to their strategy.
- Non-human identities and AI agents often outnumber human accounts by more than 100 to 1.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
Questions worth separating out
Q: How should security teams govern non-human identities at enterprise scale?
A: Security teams should govern non-human identities through ownership, lifecycle control, and runtime policy enforcement.
Q: Why do AI agents require continuous access evaluation?
A: AI agents can change behaviour during execution, chain tool calls, and reach systems that were not part of the original approval.
Q: What is the difference between activity metrics and risk metrics in IAM?
A: Activity metrics show how much governance work happened, such as reviews completed or policies enforced.
Practitioner guidance
- Inventory all non-human identities with ownership metadata Build a single register for service accounts, API keys, tokens, certificates, and AI agents.
- Replace activity metrics with exposure metrics Track identities without owners, credentials older than policy, and privileged accounts that access sensitive systems outside normal patterns.
- Apply runtime policy checks to AI agent actions Require policy evaluation at execution time for tool calls, data access, and cross-system actions.
Static recertification remains useful, but it no longer defines control maturity when agents can act faster than review cycles?
👉 Watch Omada Identity's podcast on the State of Identity Governance 2026 findings →
Explore further
15/05/2026 7:35 pm
Non-human identity governance is now a control-plane problem, not a reporting problem. When machine identities and AI agents outnumber humans, the core risk is not whether teams can document access. The question is whether they can govern execution authority across systems that change faster than certification cycles. Practitioners should move from retrospective attestation to lifecycle control and runtime enforcement.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: When does Zero Trust become more than a policy label for NHI governance?
A: Zero Trust becomes meaningful when access is re-evaluated at runtime and tied to current identity state, task scope, and system context. For non-human identities, that means no standing assumption that yesterday's approval still applies today. If access is not continuously checked, the programme is still operating on static trust.
👉 Read our full editorial: Identity governance is shifting as non-human identities outnumber humans
