Identity governance in 2026: what is breaking first?

TL;DR: Identity governance is under pressure from executive blind spots, non-human identities, and agentic AI, with the State of Identity Governance 2026 calling out the resulting execution gap, according to Omada Identity. The central issue is not awareness but governance models that still assume access, accountability, and review cycles move at human pace.

NHIMG editorial — based on content published by Omada Identity: analyst reports on identity governance, NHI, and agentic AI risk

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern non-human identities across cloud and SaaS systems?

A: Start with inventory, ownership, and lifecycle control.

Q: Why do identity governance programmes struggle when AI systems become more autonomous?

A: Because many governance processes assume access can be reviewed after the fact.

Q: What breaks when service accounts are not fully visible or owned?

A: Offboarding and access certification break first.

Practitioner guidance

• Reconcile identity ownership across all actor types Create a single ownership model for humans, service accounts, API keys, and AI-driven identities so that every access path has a named accountable party and an offboarding trigger.
• Inventory machine identities before expanding certification cycles Find service accounts, tokens, certificates, and workload identities across cloud, SaaS, and CI/CD systems, then verify where each credential is stored and who can revoke it.
• Test whether access reviews still work for autonomous behaviour Walk through a scenario where an AI system selects tools and executes without a human approval loop, then check whether your current review, logging, and exception processes can capture that activity.

What's in the full report

Omada Identity's full analyst hub covers the operational detail this post intentionally leaves for the source:

• The underlying research reports and analyst views behind each listed identity governance topic.
• Vendor-specific commentary on how Omada frames IGA, workforce identity, and machine identity.
• Report-by-report context for executive readers who want the original analyst language.
• Links to the full research artefacts rather than the strategic synthesis captured here.

👉 Read Omada Identity's analyst research hub on identity governance and AI risk →

Identity governance in 2026: what is breaking first?

Explore further

View Full Forum →  |  NHI Foundation Course →