AI agents expose enterprise identity management gaps

WorkAI.TV Editorial Desk
4 Min Read

Share with your CISO

A new IDC survey of 539 North American organizations, sponsored by Commvault, puts hard numbers on a problem most security leaders have been sensing but not measuring: agentic AI deployments are outrunning identity infrastructure. Ninety percent of IT and resilience decision-makers say they need to improve identity management for AI agents, yet only 26.7% have dynamic role-based controls in place. Separately, 57.7% haven’t defined their minimum viable business, the floor of operations they must restore first after an attack. The gaps are structural, not just tactical.

What this means for your business

The organizations most exposed here aren’t the ones that haven’t deployed AI agents. They’re the ones that have. Every AI agent provisioned into a production environment carries an identity with persistent, often broad access, and unlike a human employee, it doesn’t log off, change roles slowly, or trigger HR offboarding when its scope expands. If your identity governance program was designed around user lifecycles, it has a category error at its foundation, and the faster you’ve scaled agentic AI, the wider that error has become.

The recovery readiness numbers deserve at least as much attention as the identity numbers, even though they’re getting less coverage. Only 22.6% of organizations have deployed context-based malware scanning to validate data before restoring it to production, which means most would restore a compromised environment and call it recovery. The minimum viable business concept matters here because without a defined recovery floor, every incident becomes a negotiation under pressure about what to bring back first. That negotiation, done in the middle of an attack, is where organizations make expensive mistakes. Commvault, whose products sit in backup and recovery infrastructure, has an obvious interest in framing resilience as a platform problem rather than a process problem, but the underlying data doesn’t require that framing to be damaging.

The vendor-coined “ResOps” framework IDC is pushing may or may not stick as a category label, but the organizational logic behind it is sound. Business continuity, cybersecurity, and data protection have historically been funded and staffed in separate silos, which produces gaps exactly where handoffs occur during an incident. The CISO who’s currently renewing a backup platform contract, or defending a resilience budget against cost pressure, has a concrete data point here: the organizations that define their recovery architecture before the next incident are the ones that don’t lose the negotiation in real time.

Concept deep-dive: Non-human identities

A non-human identity is any credential or access token assigned to software rather than a person, including AI agents, automated scripts, and service accounts. Traditional identity management assumes identities are created deliberately, change slowly, and can be revoked through human processes. AI agents break all three assumptions: they can be spun up programmatically, granted access at deployment, and left running indefinitely. The business risk is that standard access audits built around employee rosters simply won’t surface them.

Based on reporting from AI agents expose enterprise identity management gaps, originally published 2026-07-15 15:40:00.

TAGGED:
Share This Article