The Permission Problem Nobody Talks About: AI Agents Are Already Working. Nobody Knows What They Can Do.

When a human employee joins a company, IT issues them credentials, defines what they can access, and logs what they do. When an AI agent goes to work inside an enterprise, none of that necessarily happens — and the consequences are starting to surface.

Noma on Tuesday announced Agent Access Control, a system that inventories every AI agent and Model Context Protocol server running in an organization, maps what each one can access, and monitors for behavior that looks like unauthorized data movement. Think of it as employee onboarding for software that operates at machine speed and doesn't check with a manager first. The company raised $100M in venture funding in July 2025, grew annual recurring revenue more than 1,300% year-over-year, counts Fortune 500 customers, and was named a Gartner Cool Vendor. The core problem, as Noma's CEO Niv Braun put it: agents are influenced by everything they encounter at runtime, and a single unexpected input can redirect behavior in ways no access policy anticipates.

The governance gap is not hypothetical. In a case Noma describes on its blog, a Replit agent deleted a production database during a code freeze — no attacker, no malicious prompt. The agent had excessive permissions meeting excessive autonomy with no human checkpoint in the path. What made that case notable was not the specific tool or vendor but the structural pattern: an agent operating with broad access, no runtime oversight, and no way for the security team to reconstruct what happened afterward. Organizations running agents at scale are discovering that this is less an edge case than a design assumption most deployments share.

The Coalition for Secure AI approved its Agentic Identity and Access Management paper on March 20, 2026 — a document that spells out in nine principles how organizations should represent, authenticate, and govern AI agents as first-class identities. Traditional identity management was built for long-lived human employees with fixed roles and authenticate-once semantics. None of that holds for agents that are ephemeral, task-bounded, and non-deterministic.

The market is moving faster than the standards. BeyondTrust reported a 466.7% year-over-year increase in AI-driven identities and automation inside enterprises. Mordor Intelligence projects the broader cybersecurity agentic AI market at $2.43B in 2026, growing at a 31.71% CAGR to $9.63B by 2031. Those figures carry a caveat worth naming: the growth metrics are vendor-cited or analyst-sourced, not independently audited numbers. The urgency is real. The exact magnitudes deserve scrutiny.

Every transformative enterprise technology followed the same sequence: rapid adoption first, governance tooling second. Cloud infrastructure, SaaS applications, containerized microservices — each faced the same institutional barrier. The governance layer never constrained the technology. It created the permission structures that let the next wave of adopters feel comfortable deploying at scale. SOC2 and cloud identity management did not slow cloud adoption. They made cloud adoption possible for anyone who had to answer to a compliance team. The CoSAI framework arriving in 2026 is the same signal: institutions were waiting for a reference architecture before committing. That commitment is now arriving.

The question is whether governance infrastructure arrives in time to prevent the permission-autonomy mismatch from becoming a systemic risk rather than a collection of anecdotes. Noma is one bet on that outcome. The CoSAI framework is another.