Notifications
Clear all
Topic starter
12/06/2026 9:36 pm
TL;DR: 66% of organisations now give AI agents equal or greater system access than human users, while only 37% have fully folded those agents into formal IAM policies, highlighting a widening governance gap for machine-speed identities according to JumpCloud. The real issue is not scale alone, but the assumption that access can still be reviewed and governed on human cadences.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 66% of organizations now grant AI agents equal or greater system access than human users.
- Only 37% have fully integrated those agents into their formal IAM policies.
Questions worth separating out
Q: How should security teams govern AI agents that use enterprise applications and APIs?
A: Security teams should govern AI agents as identities, not as background features.
Q: When does agentic access create more risk than it reduces?
A: Agentic access becomes risky when the agent can reach systems faster than governance can confirm its purpose, scope, and owner.
Q: What do IAM teams get wrong about lifecycle management for AI identities?
A: Teams often treat AI identities as temporary integrations rather than governed accounts.
Practitioner guidance
- Map every agent to a named owner and lifecycle state Create a living inventory of AI agents, the applications they touch, and the business owner responsible for each agent's access and retirement.
- Enforce short-lived access for agent sessions Replace durable credentials where possible with short-lived tokens and request-scoped authorisation checks.
- Extend access reviews to autonomous workflows Add agent identities to certification cycles, but review more than the entitlement list.
What's in the full announcement
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The deployment and integration specifics for Agentic IAM on Google Cloud and Gemini Enterprise sessions
- The capability list for Managed AI Connectors and AI Device Trust in production environments
- The vendor's rollout timing across 2026 and the product components included in the launch
- The source article's own commentary on discovery, registration, and AI gateway behavior
👉 Read JumpCloud's analysis of Agentic IAM on Google Cloud →
Agentic IAM on Google Cloud: are controls keeping up with AI agents?
Explore further
12/06/2026 11:48 pm
Agentic IAM is becoming the control plane for mixed identity populations. JumpCloud’s announcement is less about a product feature than about the governance reality that human users, service identities, and autonomous agents are now sharing the same enterprise access fabric. That convergence matters because each identity type brings different lifecycle and privilege assumptions, yet practitioners still need one policy model that can see them all. The implication is that identity architecture can no longer be organised by legacy silos.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: Who should be accountable when an AI agent accesses the wrong resource?
A: Accountability should sit with the business owner of the agent, supported by IAM and platform teams that enforced the controls. If no owner can explain the agent's purpose, scope, and retirement plan, the access should not be considered governed. Frameworks such as zero trust and access certification only work when ownership is explicit.
👉 Read our full editorial: Google Cloud-hosted agentic IAM exposes the new access governance gap
