Overview
- Late May reporting shows AI agents and service accounts have exploded inside firms, with Okta saying service accounts rose about 650% year‑on‑year and most organisations now using agentic workflows.
- Existing IAM was built for human lifecycles and therefore cannot limit what an autonomous agent intends to do, creating a ‘semantic pivot’ where valid API calls produce policy‑violating actions without triggering access‑control failures.
- Surveys and industry studies report widespread unreadiness: large shares of organisations cite access and permissions as top non‑human identity challenges and say they lack comprehensive agent governance or resiliency plans.
- Security specialists now recommend treating agents as first‑class identities and adopting intent‑bound authorization, short‑lived scoped tokens, relationship‑based (graph) permissions, sandboxing, automated lifecycle revocation, and continuous exposure management.
- Regulators already assign named human oversight under regimes such as the UK SMCR, the EU AI Act, and DORA, which raises legal risk for sponsors and makes sponsor training plus automated controls urgent to avoid personal and organisational liability.