AI identity sprawl: what IAM teams need to govern now

TL;DR: AI adoption is already at 99.6% of organisations and is expanding into security detection, helpdesks, and autonomous workflows, while only 23% of IT teams are actively securing non-human identities, according to JumpCloud. Traditional IAM models leave AI tools invisible and over-privileged, so the governance gap is structural rather than incremental.

NHIMG editorial — based on content published by JumpCloud: Q3 2025 IT Trends Report coverage of AI adoption and non-human identity risk

By the numbers:

• 99.6% of organizations are already using or actively planning to adopt artificial intelligence.
• 67% are embedding AI in security threat detection.
• 42% of IT leaders are concerned about a lack of identity governance for non-human actors.

Questions worth separating out

Q: How should security teams govern AI identities that access sensitive systems?

A: Treat AI identities as governed non-human identities, not as ordinary application settings.

Q: Why do AI tools create more IAM risk than standard automation?

A: AI tools often combine broad system reach with weak visibility, which means the actual machine identity can sit outside normal directory and review processes.

Q: What breaks when AI identities are not inventoried centrally?

A: Ownership breaks first, then entitlement review, then offboarding.

Practitioner guidance

• Inventory every AI-related credential Map API keys, tokens, service accounts, and agent credentials to business owners, systems they can reach, and current lifecycle state.
• Reclassify AI access as privileged machine access Separate AI identities from standard application accounts and subject them to stricter approval, logging, and recertification requirements when they can reach sensitive systems or administrative interfaces.
• Extend offboarding to AI tools and agents Remove access when an AI workflow is retired, replaced, or no longer approved, and verify that associated secrets are revoked across all dependent systems, not just in the primary console.

What's in the full article

JumpCloud's full report covers the operational detail this post intentionally leaves for the source:

• Role-by-role survey breakdowns showing how IT leaders, platform teams, and security teams differ on AI governance priorities.
• Implementation context for AI in helpdesks, security detection, and other workflows where identity scope can expand quickly.
• Additional findings on shadow AI pressure, organisational concern levels, and the governance gap between AI adoption and control maturity.
• Benchmark data that can help teams compare their own AI identity governance posture against current survey responses.

👉 Read JumpCloud's Q3 2025 IT Trends Report on AI and non-human identity risk →

AI identity sprawl: what IAM teams need to govern now?

Explore further

View Full Forum →  |  NHI Foundation Course →