TL;DR: At Gartner SRM and Identiverse 2026, the identity conversation shifted from making IAM work to proving which identity can be trusted, at what moment, for what action, and with what accountability, according to 1Kosmos. That shift makes attribution, lifecycle control, and runtime proof the new centre of gravity for human, machine, and AI agent identity governance.
NHIMG editorial — based on content published by 1Kosmos: Takeaways from Gartner SRM and Identiverse 2026
Questions worth separating out
Q: How should security teams govern AI agents that act on behalf of people and systems?
A: Treat AI agents as governed identities, not just automation.
Q: Why do machine identities complicate identity governance programmes?
A: Machine identities complicate governance because they scale faster than human review processes and often inherit trust from shared secrets or embedded credentials.
Q: What breaks when identity programmes only measure authentication success?
A: Authentication success alone does not show whether the right identity acted, whether the action stayed in scope, or whether accountability survives a delegated workflow.
Practitioner guidance
- Define accountable ownership for every non-human identity Assign a human sponsor, business purpose, and revocation path to each service account, token, certificate, or AI agent.
- Shorten the lifetime of machine credentials Replace long-lived secrets with short-lived credentials and explicit renewal logic.
- Build runtime evidence into access decisions Capture what the identity actually did, not only what policy said it could do.
What's in the full article
1Kosmos' full post covers the operational detail this analysis intentionally leaves for the source:
- Conference-floor observations from Gartner SRM and Identiverse that explain how practitioners are reframing identity priorities.
- Direct commentary from 1Kosmos leaders on agent accountability, attribution, and proof in identity governance.
- The vendor's view on why SPIFFE, OAuth-based delegation, and short-lived credentials matter for machine identity.
- Event context and networking notes that show how the industry conversation is changing in practice.
👉 Read 1Kosmos' takeaways from Gartner SRM and Identiverse 2026 →
Identity trust and agent accountability: what changed in 2026?
Explore further
Identity governance is moving from entitlement management to accountability management. The article reflects a market shift in which knowing that an identity can authenticate is no longer enough. Practitioners now need to know which identity acted, under what authority, and with what proof. That changes IAM from a gatekeeping function into a runtime assurance discipline, and it raises the bar for both human and non-human identity programmes.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when an AI agent or service account causes harm?
A: Accountability should rest with the human sponsor, system owner, and governance process that allowed the identity to act. If the organisation cannot identify an owner, a purpose, and a revocation path, the identity programme is not ready for delegated or autonomous action.
👉 Read our full editorial: Identity is shifting to trust, proof, and accountability