The Attack Surface Your Security Team Isn't Governing Yet
AI agents don’t just need identities. They need accountability.
That distinction matters more than most enterprise security teams have fully reckoned with. The conversation I have most often with security and technology leaders right now is not about whether to deploy agentic AI. It is about what happens once those agents are operating across production systems, and no one can fully answer what they did, what they accessed, or why.
The identity problem is real and growing. The Sophos State of Identity Security 2026 report, based on responses from 5,000 IT and cybersecurity leaders, found that 71% of organizations experienced at least one identity-related breach in the past 12 months. Weak management of non-human identities was cited as a root cause in 41% of those breaches. And just one in three organizations regularly rotates or audits service accounts and non-human identities at all. Those numbers reflect the credential problem. They do not yet fully capture what agentic AI adds on top of it.
Related Articles
