AI Agent Proliferation Is Creating an Unmanaged Identity Crisis Inside Enterprise Security
MIT Technology Review flags a structural vulnerability forming at the core of enterprise AI adoption: as agentic AI systems multiply across organizations, non-human identities (NHIs) are already outpacing human ones in some modern enterprises, and that ratio is set to accelerate sharply.
7. AI Agent Proliferation Is Creating an Unmanaged Identity Crisis Inside Enterprise Security
MIT Technology Review flags a structural vulnerability forming at the core of enterprise AI adoption: as agentic AI systems multiply across organizations, non-human identities (NHIs) are already outpacing human ones in some modern enterprises, and that ratio is set to accelerate sharply. Unlike human users, AI agents operate with persistent credentials, broad system access, and limited native auditability, making them exploitable vectors for prompt injection, privilege escalation, and unauthorized data exfiltration. The core warning is that organizations deploying agents for productivity gains are simultaneously expanding their attack surface without the governance scaffolding to manage it.
The competitive stakes here fall hardest on enterprise software vendors and the security layer sitting beneath them. Companies like Microsoft (Copilot agents embedded across Azure and M365), Salesforce (Agentforce), and ServiceNow are racing to deploy agentic workflows inside customer environments, but their speed-to-market incentives are misaligned with the security diligence those deployments require. Identity and access management vendors, particularly CrowdStrike, SailPoint, and emerging NHI-focused players like Astrix Security and Clutch Security, are positioned to capture urgent spend as CISOs scramble to extend zero-trust frameworks to non-human principals. Enterprises without mature NHI governance programs are the clearest losers in this dynamic, carrying liability exposure they likely have not yet quantified.
The deeper structural signal is that the security industry is being forced to rebuild foundational assumptions around identity. Traditional IAM was designed for humans authenticating into systems. Agentic AI operates continuously, autonomously, and often with chained tool access across multiple systems simultaneously, breaking the session-based mental model entirely. This is not an incremental threat category; it is a category requiring new primitives, and the vendors who define those primitives in the next 18 months will own a durable market position as agentic deployment scales from pilot to infrastructure.
Source: https://www.technologyreview.com/2026/04/21/1136158/building-agent-first-governance-and-security/