TL;DR: Identity governance is under pressure from executive blind spots, non-human identities, and agentic AI, with the State of Identity Governance 2026 calling out the resulting execution gap, according to Omada Identity. The central issue is not awareness but governance models that still assume access, accountability, and review cycles move at human pace.
NHIMG editorial — based on content published by Omada Identity: analyst reports on identity governance, NHI, and agentic AI risk
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern non-human identities across cloud and SaaS systems?
A: Start with inventory, ownership, and lifecycle control.
Q: Why do identity governance programmes struggle when AI systems become more autonomous?
A: Because many governance processes assume access can be reviewed after the fact.
Q: What breaks when service accounts are not fully visible or owned?
A: Offboarding and access certification break first.
Practitioner guidance
- Reconcile identity ownership across all actor types Create a single ownership model for humans, service accounts, API keys, and AI-driven identities so that every access path has a named accountable party and an offboarding trigger.
- Inventory machine identities before expanding certification cycles Find service accounts, tokens, certificates, and workload identities across cloud, SaaS, and CI/CD systems, then verify where each credential is stored and who can revoke it.
- Test whether access reviews still work for autonomous behaviour Walk through a scenario where an AI system selects tools and executes without a human approval loop, then check whether your current review, logging, and exception processes can capture that activity.
What's in the full report
Omada Identity's full analyst hub covers the operational detail this post intentionally leaves for the source:
- The underlying research reports and analyst views behind each listed identity governance topic.
- Vendor-specific commentary on how Omada frames IGA, workforce identity, and machine identity.
- Report-by-report context for executive readers who want the original analyst language.
- Links to the full research artefacts rather than the strategic synthesis captured here.
👉 Read Omada Identity's analyst research hub on identity governance and AI risk →
Identity governance in 2026: what is breaking first?
Explore further
Identity governance execution failure is now a structural issue, not a tooling issue. Omada Identity’s research roundup points to a market where IGA programmes are being stretched by disconnected ownership, blind spots in executive oversight, and identities that no longer fit human review rhythms. The result is not simply more work for governance teams, but a mismatch between the control model and the identities it claims to govern. Practitioners should treat execution as the primary problem, not dashboard coverage.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, showing a 4.5x gap when access is not scoped properly.
A question worth separating out:
Q: Who is accountable when AI or machine identities are over-privileged?
A: Accountability sits with the teams that provisioned, approved, and operated the identity, but governance ownership must be explicit. If a machine identity or AI system can act beyond its intended scope, the organisation needs a named control owner, a revocation path, and evidence that access was reviewed against actual use.
👉 Read our full editorial: Identity governance is failing under AI and NHI sprawl