Who is your AI agent acting as? The identity question nobody can skip

Enterprises are rapidly deploying AI agents in production systems, often without established guardrails or governance policies, leading to significant security and identity management challenges. According to EMA's survey, 79% of organizations lack formal policies for AI agent governance, yet these agents are already operational, creating a pressing issue rather than a future concern. While agents are increasingly integrated into systems to enhance efficiency, their identity models often do not align with traditional frameworks, as highlighted by the 60.5% of organizations using a hybrid human/service-account management model. This mismatch can lead to expanded permissions and compromised security, especially as organizations report using multiple IAM platforms, complicating unified policy implementation. The proliferation of agent-adjacent tools, such as Model Context Protocol (MCP) servers, further exacerbates oversight challenges, with many running on local employee endpoints where security tools lack visibility. The narrative underscores the urgency for organizations to establish explicit and enforceable identity rules for AI agents to prevent unchecked power expansion and ensure robust security and auditability.