Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity visibility and AI agents: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity visibility collapsed from 93% in 2024 to 46% in 2025 in Permiso Security’s 2026 State of Identity Security Report, while 92% of organisations already have AI agents accessing production or sensitive data and 95% say those systems can create or modify identities without traditional oversight. The programme failure is no longer inventory quality but real-time visibility into who or what is acting.

NHIMG editorial — based on content published by Permiso Security: State of Identity Security Report 2026, from false confidence to true visibility

By the numbers:

Questions worth separating out

Q: How should security teams handle identity visibility across cloud and SaaS platforms?

A: They should build a single operational view that correlates identity permissions, activity, and effective access across cloud, SaaS, IdP, and NHI sources.

Q: Why do AI agents complicate identity governance?

A: AI agents can create, modify, or use identities without the pacing assumptions built into traditional IAM workflows.

Q: What breaks when teams rely on identity inventories instead of visibility?

A: Inventories go stale between scans, so they miss live permission changes, delegated access, and identity behaviour across platforms.

Practitioner guidance

What's in the full report

Permiso Security's full report covers the operational detail this post intentionally leaves for the source:

  • Year-over-year response breakdowns across 28 survey questions for teams benchmarking programme maturity
  • Detailed figures on identity visibility, detection speed, and blast-radius analysis by respondent segment
  • AI identity creation and modification patterns that show where governance breaks down in practice
  • Investment planning data that helps security leaders justify roadmap priorities and resourcing

👉 Read Permiso Security's 2026 State of Identity Security Report →

Identity visibility and AI agents: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

The visibility crisis is the real control failure in modern identity security. Inventory-centric programmes are being mistaken for operational oversight, even though inventory cannot show live permission use, blast radius, or identity behaviour across platforms. That assumption breaks as soon as identities move across SaaS, cloud, and machine-access pathways. Practitioners need to stop treating completeness of lists as proof of control.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Another finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when identity-related incidents cannot be scoped quickly?

A: Accountability sits with the team that owns identity governance and operational visibility, because slow blast-radius analysis usually means no one has a complete cross-platform view. NIST CSF and zero trust both assume you can observe and constrain access, so governance must prove that capability in practice.

👉 Read our full editorial: Identity visibility fell sharply as AI agents expand access



   
ReplyQuote
Share: