Identity and data security dependency is widening the governance gap

TL;DR: Identity automation, agentic AI, and continuous validation will increasingly determine data exposure and cyber-insurance scrutiny between 2026 and 2029, according to Netwrix. The governing assumption is shifting from static access review to continuous identity and data control alignment, because automation now directly changes who can reach sensitive data.

NHIMG editorial — based on content published by Netwrix: Netwrix Security Research Lab Forecasts 2026 to 2029 on the rise of identity and data security dependency

Questions worth separating out

Q: How should security teams govern AI agents that access sensitive data?

A: Security teams should govern AI agents as live identity subjects with changing authority, not as fixed integrations.

Q: Why do identity automation failures become data security incidents?

A: Identity automation failures become data security incidents because automated provisioning, token handling, and privilege decisions directly determine who can reach sensitive data.

Q: When should organisations move from periodic review to continuous control evidence?

A: Organisations should move to continuous control evidence when access is mediated by automation, cloud integrations, or AI-driven workflows.

Practitioner guidance

• Map identity-to-data dependency chains Document which identities, service accounts, tokens, and AI agents can reach which sensitive data sets, then trace the exact workflows that create that reach.
• Instrument continuous validation points Place verification checks at token issuance, workflow handoff, privilege change, and data-access events so authority is rechecked as conditions change.
• Separate ownership for AI access and data custody Assign explicit accountability for the identities AI systems use, the data they touch, and the exit process if a provider changes, is acquired, or fails.

What's in the full report

Netwrix's full analysis covers the operational detail this post intentionally leaves for the source:

• The research lab’s underlying threat assumptions and how its team expects identity attacks to evolve across 2026 to 2029
• Examples of the misconfiguration and automation patterns that informed the forecast
• The insurance and control-telemetry implications that practitioners can use for internal risk reporting
• The vendor’s view of how identity, data protection, and AI ownership converge in real programmes

👉 Read Netwrix’s forecast on identity and data security dependency through 2029 →

Identity and data security dependency is widening the governance gap?

Explore further

View Full Forum →  |  NHI Foundation Course →