Notifications
Clear all
Topic starter
06/06/2026 1:48 am
TL;DR: C1 says 95% of organisations now report AI agents performing at least one IT or security task autonomously, while 47% say non-human identities already outnumber humans, according to its 2026 Future of Identity report. The real shift is that identity governance now has to operate across API, MCP, CLI, and SDK surfaces where agents request access and action at runtime.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 95% of organizations report AI agents performing at least one IT or security task autonomously.
- 47% report non-human identities already outnumber humans.
Questions worth separating out
Q: How should security teams govern AI agents that request access through APIs and MCP tools?
A: Security teams should treat AI agents as machine-callable identities that need runtime authorization, not just provisioned entitlements.
Q: Why do headless identity models matter for NHI governance?
A: Headless identity matters because non-human actors do not depend on console-based workflows.
Q: What breaks when identity governance is split across vaults, IGA, and PAM tools?
A: Split governance breaks the shared view of effective permissions.
Practitioner guidance
- Inventory machine-callable identity surfaces Map every place agents and workloads can request credentials, call policy, or assume identity through APIs, MCP tools, CLIs, and SDKs.
- Consolidate effective access visibility Build one operational view of humans, service accounts, workloads, and agent identities so policy decisions reflect current delegation chains and not isolated tool states.
- Move authorization to the point of action Enforce real-time policy checks whenever an identity requests credentials or resources, and log the subject, actor, purpose, and outcome in the same transaction.
What's in the full announcement
ConductorOne's full press release covers the operational detail this post intentionally leaves for the source:
- How the identity graph is modelled across humans, service accounts, workloads, and AI agents.
- How the MCP server exposes credential access, authorization checks, and governed requests as self-describing tools.
- How the open connector fabric keeps credentials inside the customer environment while supporting hosted or self-hosted connectors.
- How the vendor frames EU AI Act provenance and full audit context for agent-to-human activity.
👉 Read ConductorOne's announcement on headless identity infrastructure for the agentic enterprise →
Headless identity infrastructure for agents: what changes for IAM teams?
Explore further
06/06/2026 3:07 am
Headless identity is a governance pattern, not a product category. The market is moving because human-console identity workflows do not map cleanly to agents, workloads, or scripted automation. The real architectural question is whether identity controls can be invoked where work happens, not whether a vendor has added another portal. For IAM and NHI programmes, that means treating programmability as a governance requirement, not a convenience feature.
A few things that frame the scale:
- 95% of organizations report AI agents performing at least one IT or security task autonomously, according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, leaving a wide gap between usage and control.
A question worth separating out:
Q: Who is accountable when an AI agent creates downstream identities or assumes scoped tokens?
A: Accountability should remain with the organisation that governs the control plane and with the operational owners of the workflow that allowed the delegation. Regulators and auditors will expect the subject, purpose, and chain of delegation to be provable from logs, not inferred after the fact.
👉 Read our full editorial: Headless identity infrastructure reshapes governance for agentic enterprise
