TL;DR: Fragmented vendor stacks, hidden user activity and inconsistent security controls create blind spots that slow access management and increase breach exposure, according to JumpCloud’s analysis. Unified identity and access governance is becoming a baseline requirement for teams managing human, machine and emerging autonomous access patterns.
NHIMG editorial — based on content published by JumpCloud: Navigating the world of IT today feels less like mapping a clear path and more like finding your way through a maze
By the numbers:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams reduce identity sprawl across multiple platforms?
A: Start by identifying where identity, access and audit data are fragmented across the stack, then decide which system is authoritative for provisioning, review and deprovisioning.
Q: Why does hidden user activity create security risk for IAM programmes?
A: Because access decisions depend on evidence.
Q: What breaks when identity governance is spread across too many vendor tools?
A: Lifecycle operations become inconsistent, audit trails become incomplete and deprovisioning becomes slower.
Practitioner guidance
- Map the identity control plane first Inventory where access decisions, entitlement records, audit logs and deprovisioning actions actually live, then identify the gaps created by separate vendor consoles.
- Correlate hidden activity with access reviews Use SaaS, device and identity telemetry together so access reviews reflect actual usage, not just what each platform reports in isolation.
- Shorten deprovisioning paths across systems Define a single offboarding sequence that removes human access, service account access and workflow access from every connected platform before closure.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- How to consolidate device, identity and access workflows into one management model
- Operational reasons vendor sprawl slows troubleshooting, training and policy enforcement
- How unified reporting helps teams spot unseen user activity and access anomalies
- Why automation changes the balance between manual administration and strategic IT work
👉 Read JumpCloud's analysis of identity sprawl, hidden activity and access risk →
Identity sprawl and hidden activity: what IAM teams are missing?
Explore further
Identity sprawl turns governance into reconciliation work: When access, audit and device data live in separate platforms, the organisation stops governing identity and starts reconciling fragments after the fact. That changes IAM from a control function into a cleanup function. The implication is that lifecycle and access review processes lose authority the moment the control plane is split across too many vendors.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: What should organisations do when users create or onboard apps outside central IT?
A: Treat self-onboarded SaaS as an identity governance issue, not just a shadow IT problem. Discover those apps, assign ownership, review access paths and bring them into the same entitlement and offboarding process used for sanctioned systems.
👉 Read our full editorial: Identity sprawl, unseen activity and risk are widening access gaps