Most organizations will by now be familiar with the concept of AI agents - autonomous systems that perceive, make decisions and take actions to achieve specific goals within an environment.
In fact, a staggering 82% of organizations are using AI agents today, often across multiple business functions. These agents aren’t just passive tools: they’re autonomous technology that act, decide, and adapt at a staggering speed and scale.
And they’re getting more sophisticated by the minute, frequently handling tasks that were once reserved for skilled human oversight.
CEO and Founder of SailPoint.
The business value of AI agents is undisputed, but the potential consequences of compromised sensitive data could be devastating, from accessing sensitive systems to sharing data without authorization. Worryingly, less than four in ten organizations are governing AI agents – despite adoption surging.
This new reality demands we manage AI agents with the same level of oversight and governance as human users. Let’s look at the role that identity security can play in helping organizations to harness AI’s intelligence, without losing sight of security or compliance.
Putting brakes on the AI ‘race car’
AI agents can operate independently and learn, adapt, and interact in ways that are hard to predict. Without strong governance, they can introduce serious vulnerabilities into even the most secure environments.
That’s not to say businesses shouldn’t be leveraging AI agents, but they do need to put controls in place to keep their new ‘digital workforce’ in check. Think of it like brakes on a race car: they’re not there to slow you down unnecessarily, but to give you needed control when navigating a difficult course at high speed.
At the moment, many businesses are ‘driving the car’ at breakneck speed, without working brakes. The result? AI agents are spinning out of control – with 80% of organizations reporting that their AI agents have already performed unauthorized actions, including accessing and sharing sensitive information.
And, despite the vast majority of tech leaders (92%) recognizing that AI agent governance is crucial to enterprise security, only 44% have implemented relevant policies.
Beyond regulatory compliance issues, this creates vulnerabilities affecting the whole supply chain - including employees, partners, and customers with system access - who may receive inaccurate information or, more dangerously, expose access credentials or other data that play into the hands of malicious actors.
A closer look at risk management for AI agents
With 98% of companies planning to expand AI agent deployments in the next year, enterprises will only become more dependent on this extended digital workforce over the next decade.
This explosion of non-human identities, coupled with increasingly sophisticated cyber threats, will require tools that facilitate a more adaptive approach.
In the past, a ‘castle and moat’ approach to security was sufficient. SOC teams were responsible for understanding what was happening on an endpoint: their job was simply to protect perimeters. Now, vulnerabilities can easily explode outwards from within the business itself, if agents are left to move laterally and freely within networks.
To prevent an ‘identity explosion’, organizations need to approach AI agent access rights in the same way they would humans. That means governing them according to their own unique behaviors and risks.
Next-gen identity security tools can enable businesses to roll out contextual, precise and adaptive access control policies, where access is purposefully granted when appropriate – and aggressively revoked when not. Imagine an AI agent in the financial sector.
It could handle an entire loan origination process - aggregating financial data, analyzing credit history, preparing terms, facilitating underwriting, and communicating with stakeholders.
The efficiency is remarkable, but the risks are significant: without proper controls, that same agent could misinterpret data, approve high-risk loans, or inadvertently expose customer information, triggering compliance violations or reputational damage.
Businesses can avoid this sort of risk by ensuring that agents can only access selected records or information relevant to a particular case. Through a custom role and profile, the agent would be granted temporary access to records that would disappear following task completion.
To minimize risk, the agent could be left without administrative system privileges - for example, access to internal audit logs, executive dashboards or regulatory compliance reports.
A contextual, adaptive approach to identity ensures AI agents are continuously monitored, and that their access rights are updated as their roles, behaviors and risk profiles evolve.
Securing the digital workforce
As adoption of AI agents intensifies, business leaders could be faced with a real headache if they expand their ‘digital workforce’ before systems are in place to securely keep track of non-human identities.
It’s clear that the question is no longer just about “who” can access what. It’s about “what” is acting inside your environment, “how” it’s doing so, and “why.” Proper governance means tracking every AI agent’s access to sensitive data, assigning clear ownership, and enforcing approval workflows before granting or expanding access.
Static, one-size-fits-all approaches to access policies are no longer enough. An adaptive, contextual approach to identity security will form the bedrock for responsible, secure and scalable adoption of AI agents.
We've featured the best IT automation software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.