Notifications
Clear all
Topic starter
12/06/2026 9:37 pm
TL;DR: Credential theft and AI agent sprawl are colliding across identity programmes, with 642.4 million credentials stolen from infostealer infections in 2025 and 56% of non-human identities sitting outside structured governance, underscoring how legacy IAM controls are no longer enough when identities, applications and agents must be governed continuously, according to Josys.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 642.4 million credentials were stolen from infostealer infections in 2025 alone.
- 56% of non-human identities sit entirely outside structured governance.
Questions worth separating out
Q: How should security teams respond when credentials are stolen from infostealer infections?
A: They should treat the exposed secret as an active access path, not a hygiene issue.
Q: Why do AI agents complicate identity governance programmes?
A: AI agents complicate governance because they can hold access, act across tools and remain active outside the review cycle designed for employees.
Q: How do organisations know whether identity governance is actually keeping pace?
A: Look for measurable reduction in standing access, faster revocation after exposure and fewer identities left outside structured governance.
Practitioner guidance
- Map exposed credentials to live access paths Connect stealer-log and dark-web monitoring to application entitlement maps so a leaked credential can be traced to every SaaS, cloud and admin service it can still reach.
- Establish accountable ownership for AI agents Require a named business owner, technical owner and revocation path for every AI agent so discovery produces governable records instead of an inventory of unknowns.
- Replace periodic reviews with continuous policy checks Move identity governance from quarterly certification to continuous evaluation of entitlements, configuration drift and policy exceptions, with automated remediation where possible.
What's in the full announcement
Josys' full press release covers the operational detail this post intentionally leaves for the source:
- How the platform maps a leaked credential to a full application access profile before revoking access
- How the multi-tenant control plane is structured for MSPs managing dozens of customer environments
- How the three new capabilities fit into Josys' four-pillar identity security framework
- Which compliance mappings and policy templates are included across the platform
👉 Read Josys' press release on new identity governance capabilities for AI agents →
AI agent governance and credential theft: what teams must change?
Explore further
12/06/2026 11:49 pm
Identity governance has moved from account review to exposure containment. The article reflects a broader shift in which stolen credentials, unmanaged machine identities and AI agents all sit inside the same blast radius. That means the security problem is no longer who has access in theory, but which identities can still act after compromise. Practitioners should now judge governance by how quickly it can remove usable access.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why policy and practice diverge so sharply.
A question worth separating out:
Q: Who should own governance when humans, machines and agents share the same SaaS estate?
A: Ownership should sit with the identity programme, with clear operational handoffs to security, IT and application owners. Human users, service accounts and AI agents all need lifecycle rules, but the governance model must define who can approve access, who can revoke it and who is accountable when controls fail.
👉 Read our full editorial: AI-native identity governance now has to cover agents and leaks
