IAM maturity models and AI agents: where current controls break

TL;DR: IAM maturity models still assume identities are comparatively stable and reviewable, but the article shows access governance, lifecycle management, and control consistency remain uneven across many programmes. That matters because AI systems and NHIs expose those gaps more sharply than human-centric IAM ever did.

NHIMG editorial — based on content published by Zluri: Access Management Identity & Access Management Maturity Model - A Guide For 2026

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

Questions worth separating out

Q: How should teams assess IAM maturity when NHIs and AI systems are in scope?

A: They should assess maturity by actor type, because human IAM, service accounts, and AI-driven identities fail in different ways.

Q: Why do IAM maturity models break down in environments with lots of service accounts?

A: They break down when maturity is measured by policy presence instead of entitlement closure.

Q: What do security teams get wrong about access management maturity?

A: They often confuse structured process with effective control.

Practitioner guidance

• Map maturity levels to actor type Separate human IAM, service account governance, and AI-driven identity control into different maturity baselines so you do not measure them with the same operational assumptions.
• Test lifecycle closure against real events Run joiner, mover, and leaver checks against live provisioning and deprovisioning records, including API keys, service accounts, and delegated admin access.
• Prove least privilege with revocation evidence Require evidence that access can be reduced, scoped, or revoked quickly for each identity class.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step maturity progression examples for each IAM level and component.
• Specific ILM, access management, and governance capability breakdowns that can help teams map their current state.
• Operational descriptions of provisioning, modification, and removal workflows across the maturity model.
• Concrete product-oriented examples of how Zluri positions access management automation and reporting.

👉 Read Zluri's guide to IAM maturity models for 2026 →

IAM maturity models and AI agents: where current controls break?

Explore further

View Full Forum →  |  NHI Foundation Course →