Notifications
Clear all
Topic starter
04/06/2026 3:01 pm
TL;DR: AI agents are already in production at two-thirds of enterprises, yet governance is lagging as delegated actors inherit authority through chains humans and machines were not designed to track, according to Orchid Security and cited survey data. The core problem is that identity programmes assume access is stable, reviewable, and bounded by a single actor, which does not hold for agentic behaviour.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- As enterprises rapidly adopt AI agents, two-thirds reported already using them in production according to a 2025 Team8 CISO Village Survey.
- 67% of nonhuman accounts are local- unseen and unmanaged by enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern AI agents that inherit authority from other identities?
A: Security teams should govern AI agents by tracking identity lineage, not just credentials.
Q: Why do AI agents complicate least privilege in enterprise IAM?
A: AI agents complicate least privilege because their intent and tool use can change during execution.
Q: What breaks when organisations treat agent identities like service accounts?
A: What breaks is accountability.
Practitioner guidance
- Define agent identity lineage Record the originating identity, owning team, application context, and delegated permissions for every agent before allowing it to operate in production.
- Map chain-of-delegation paths Trace how authority moves from human request to service credential to downstream agent and sub-agent.
- Enforce runtime guardrails on agent actions Apply just-in-time access and continuous policy evaluation to agent actions that can change scope mid-session.
What's in the full announcement
Orchid Security's full announcement covers the operational detail this post intentionally leaves for the source:
- The delegation-aware identity enrichment flow that maps agents to originating identities, owners, and business context
- The chain-of-delegation audit model that shows how authority is inherited across humans, services, bots, and agents
- The graph-native chatbot and observability workflow that Orchid says supports runtime identity investigation
- The Identiverse session topics and on-site implementation themes for teams evaluating agent governance
👉 Read Orchid Security's announcement on delegation-aware controls for agentic AI →
Agent AI authority gaps: what does this mean for IAM teams?
Explore further
04/06/2026 3:14 pm
Delegation-aware identity is now a category requirement, not a feature request. Orchid Security's framing is directionally correct because agentic AI is not governed by the same assumptions as service accounts or human users. The important shift is that the enterprise must understand inherited authority across the full delegation path, not just the immediate credential presented at runtime. That moves the category from access management to authority management, which is where practitioners should anchor their design choices.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Another finding from our research shows that 71% of NHIs are not rotated within recommended time frames, which keeps standing access alive far longer than governance teams expect.
A question worth separating out:
Q: What should enterprises do before scaling agentic AI in production?
A: Enterprises should unify IAM, PAM, and NHI governance around actor type and delegation path. That includes inventorying unmanaged identities, enforcing runtime guardrails, and proving who owns each agent's authority. Without those controls, agentic AI expands existing identity blind spots instead of reducing them.
👉 Read our full editorial: Agent AI authority gaps expose the limits of legacy IAM models
