Identity visibility and AI agents: what IAM teams need to know

TL;DR: Identity visibility collapsed from 93% in 2024 to 46% in 2025 in Permiso Security’s 2026 State of Identity Security Report, while 92% of organisations already have AI agents accessing production or sensitive data and 95% say those systems can create or modify identities without traditional oversight. The programme failure is no longer inventory quality but real-time visibility into who or what is acting.

NHIMG editorial — based on content published by Permiso Security: State of Identity Security Report 2026, from false confidence to true visibility

By the numbers:

• Comprehensive identity visibility plummeted from 93% in 2024 to just 46% in 2025.
• Only 54% could track identity permissions and activities across all platforms in a unified view.
• 92% already have AI agents accessing production or sensitive data.

Questions worth separating out

Q: How should security teams handle identity visibility across cloud and SaaS platforms?

A: They should build a single operational view that correlates identity permissions, activity, and effective access across cloud, SaaS, IdP, and NHI sources.

Q: Why do AI agents complicate identity governance?

A: AI agents can create, modify, or use identities without the pacing assumptions built into traditional IAM workflows.

Q: What breaks when teams rely on identity inventories instead of visibility?

A: Inventories go stale between scans, so they miss live permission changes, delegated access, and identity behaviour across platforms.

Practitioner guidance

• Replace inventory reports with live identity telemetry Correlate identity permissions, activity, and access paths across IdP, cloud, SaaS, and NHI sources so the team can see effective access rather than static account lists.
• Extend NHI lifecycle controls to AI-created identities Treat AI-generated service accounts, tokens, and delegated credentials as governed identities with ownership, expiry, and revocation requirements from the moment they appear.
• Define blast-radius metrics for identity incidents Track how long it takes to identify impacted systems, exposed data, and privilege chains after an identity event, then use that metric to prioritise control improvements.

What's in the full report

Permiso Security's full report covers the operational detail this post intentionally leaves for the source:

• Year-over-year response breakdowns across 28 survey questions for teams benchmarking programme maturity
• Detailed figures on identity visibility, detection speed, and blast-radius analysis by respondent segment
• AI identity creation and modification patterns that show where governance breaks down in practice
• Investment planning data that helps security leaders justify roadmap priorities and resourcing

👉 Read Permiso Security's 2026 State of Identity Security Report →

Identity visibility and AI agents: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →