A mid-sized software company stood up forty-three AI agents across customer service, HR, and finance systems over the past year. Each agent carries its own credentials, but no one in the security team knows which agent can read which customer record, when those tokens expire, or how to revoke them when a deployment gets retired.
That gap is the governance problem enterprises are only starting to map: agents acting as first-class identities without the identity and access controls that humans take for granted.
The framing is not new. Entrust CIO Rishi Kaushal argued in an ISMG video interview that AI agents must be treated as first-class identities with the same accountability, auditing, and oversight as any human user, not as extensions of human identity. The required controls are familiar: distinct identity category, defined permissions per agent, lifecycle management, auditability, and a kill switch.
What has changed is that independent industry bodies have now adopted the same framing. Gartner published a six-step framework for managing AI agent sprawl on April 28, 2026, and the Cloud Security Alliance released a whitepaper on non-human identity and agentic AI governance. Both treat agents as a distinct identity category rather than a feature bolted onto existing single sign-on. The vendor narrative has crossed into analyst consensus.
Quantitative anchors have followed. Gravitee's State of AI Agent Security 2026 report finds AI agent adoption is outpacing the controls meant to govern it. Reporting from UtilityDive on a Netwrix survey flags identity-security visibility gaps that explicitly tie back to AI agents, indicating the problem is not isolated to a single vendor's customer base.
The mechanism behind the gap is straightforward. Zero-trust principles, including continuous verification, least-privilege access, and auditability, were built for human and service identities that authenticate once per session, hold a fixed permission set, and follow a defined lifecycle. AI agents break each assumption. An agent can spawn sub-agents, request new credentials mid-task, and persist indefinitely if no one writes an off switch. Applied to a fleet of hundreds or thousands of agents, those properties turn into an unauditable blast radius.
The fix follows the same shape as any privileged access program, applied to a different kind of principal. Treat each agent as its own identity object with named credentials, scoped permissions, a documented owner, an audit trail, and a decommissioning path that can be triggered from a console rather than a code change. Gartner's six-step framework and the CSA governance whitepaper both codify versions of this pattern.
Independent skepticism is warranted. Agent deployment is still narrow in many enterprises, and the urgency around agent sprawl is partly vendor-amplified: identity vendors have a commercial interest in treating every AI agent as a billable seat. The governance frameworks themselves are still being defined industry-wide. The honest read is that the category is real, the controls are familiar, and most organizations have not yet done the work to apply them.
Watch item: Meta's open-source release of Astryx, a React design system for AI agents, signals that agent UI and control surfaces are moving into mainstream developer tooling. As agent builders ship more polished dashboards, the governance question shifts from "do we have visibility" to "who in the org owns the agent off-switch".