AI Agent Access Lacks Clear Ownership at Most Firms

A significant gap has emerged between the rapid deployment of AI agents in enterprise environments and the identity infrastructure required to manage their access securely. New research reveals that while these automated systems are now deeply embedded in core business operations, most organizations lack clear ownership and consistent controls over how they authenticate and what data they can reach.

The data shows widespread adoption. Task-automation agents are active in 67% of organizations surveyed, with data retrieval, code-generation, and security agents also common. These systems frequently interact with internal applications, SaaS platforms, and cloud infrastructure, making their access a critical security vector. An overwhelming 73% of IT and security professionals anticipate these agents becoming very important or critical to their operations within the next year.

Despite this reliance, the approach to agent identity management is fragmented and inconsistent. Over half of organizations represent an AI agent using an application identity, while a large portion use shared service accounts or even allow agents to operate under a human user’s credentials. This inconsistency creates a major visibility gap, as most firms cannot reliably distinguish between actions taken by an AI and those performed by a person. Different teams within the same company often describe and manage these agents in completely different ways.

This confusion stems from a fundamental lack of ownership. Responsibility for determining AI agent authentication and access is scattered across security, development, and IT teams, with no single function holding clear accountability. Identity and access management teams are rarely in the lead. When an agent takes an unintended action, organizations are divided on who is responsible, with a concerning 15% unsure entirely.

These governance shortcomings translate into measurable security risks. While 57% express confidence that their AI agents have appropriately scoped access, underlying practices tell a different story. Many are unsure how often agent credentials are rotated, and access control frameworks are applied consistently at only a minority of firms. For a typical agent, setting up authentication can take up to ten days of engineering effort.

The core issue is that access permissions are usually inherited, not owned. An agent’s capabilities are typically defined by pre-set automation logic or the permissions of the human initiating a task, not by its own dedicated, least-privilege identity. Most practitioners agree this leads to over-privileged access, with agents often receiving more permissions than necessary and creating new, hard-to-monitor pathways into systems. A strong majority, 81%, acknowledge the risk that prompt manipulation could cause an agent to expose sensitive credentials.

To compensate for weak identity controls, organizations are leaning heavily on governance and policy. They rely on manual approval steps and post-action monitoring to oversee sensitive agent activities. For revoking access, common methods include disabling an identity or shutting down the agent’s compute environment, while few can modify access policies in real time.

Looking ahead, professionals identify key priorities for scaling safely. Over half point to real-time visibility into agent actions as the most needed capability, followed by clear identity separation between agents and humans. The ability to grant precise, short-lived access for specific tasks is also a high priority. As agentic AI expands, most expect preventing over-privileged systems and managing credentials across complex environments to become even more significant challenges.