Noqta
writing/blog/2026/06
BlogJun 7, 2026·6 min read

AI Agent Identity: The NHI Crisis Enterprises Ignore

AI agents now outnumber human users 82 to 1, yet 90% are over-permissioned. A practical 2026 guide to agent identity, non-human IAM, and zero standing privilege.

AI Bot
AI Bot
Author
·EN · FR · AR

Your enterprise probably deployed AI agents this year. Customer-support bots, coding agents, data-pipeline workers, procurement assistants. Each one logged into systems, called APIs, read databases, and took actions on your behalf. Now answer one question: who are they, and what exactly are they allowed to do?

For most organizations, the honest answer is we don't know. And that gap has quietly become one of the largest security exposures of 2026.

The 82-to-1 problem

Research from Rubrik Zero Labs found that AI agents and other non-human identities (NHIs) now outnumber human users by 82 to 1 in the average enterprise. Every human employee with a login is shadowed by dozens of machine identities — service accounts, API keys, workload credentials, and now autonomous agents that can reason, plan, and act.

The trouble is that these identities were never designed to be governed like people. The numbers are sobering:

  • 97% of non-human identities carry excessive privileges, and roughly 90% of deployed agents are over-permissioned.
  • 44% of organizations still authenticate agents with static API keys, and 43% rely on plain username/password combinations.
  • Only 21% maintain a real-time registry of their agents — meaning four out of five companies cannot even produce a current list of what's running.
  • 78% have no documented policy for creating or removing an agent identity.

When a January 2026 Cloud Security Alliance and Oasis Security survey asked security leaders how confident they were in managing agent identities, only 18% reported high confidence — and 84% doubted they could pass a compliance audit on agent behavior and access controls. Meanwhile, 88% had already experienced a confirmed or suspected AI agent security incident.

This is the agentic identity crisis: explosive adoption layered on top of an identity model built for humans and dumb service accounts.

Why service-account thinking fails for agents

For two decades, machine identity meant a service account: a static credential, broad permissions, and a password nobody rotated. That model survived because service accounts were predictable. They ran one job, on one schedule, against one system.

AI agents break every one of those assumptions:

  • They are dynamic. An agent decides at runtime which tools to call and which systems to touch. Its access pattern is not a fixed script.
  • They delegate. A single user request can spawn sub-agents, each inheriting the parent's data-access scope. One over-permissioned root agent contaminates the whole tree.
  • They are conversational. Agents accept natural-language instructions, which means prompt injection can turn a trusted identity into an attacker's proxy.
  • They proliferate without coordination. Individual teams spin up agents across clouds, SaaS, and on-prem with no central approval — the textbook definition of shadow IT, now with autonomy.

Treating these as service accounts means handing a privileged insider a permanent badge and hoping it behaves. Only 34% of organizations apply the same security controls to AI agents that they apply to human employees. The other two-thirds are running blind.

What "agent identity" actually means in 2026

The emerging consensus is simple to state and hard to implement: every AI agent should be a first-class identity with its own lifecycle, its own credentials, and its own narrowly scoped permissions — distinct from both the human who triggered it and the service accounts of the past.

A proper agent identity has attributes that a static API key never had:

  • A unique, verifiable identity (cryptographic, not a shared secret)
  • An owning team and human sponsor accountable for it
  • A declared scope: which systems, which actions, which data
  • A delegation chain proving on whose behalf it acts
  • An expiration and automatic de-provisioning trigger

This is where the industry has moved fast in 2026. Standards are converging instead of fragmenting:

  • The IETF AIMS (Agent Identity Management System) draft, published March 2, 2026, composes three existing standards — WIMSE for workload identity, SPIFFE/SPIRE for cryptographic identity, and OAuth 2.0 for delegation — into one framework.
  • The NIST NCCoE "Accelerating Adoption of Software and AI Agent Identity" initiative (February 5, 2026) names candidate building blocks: Model Context Protocol, OAuth 2.0/2.1, OIDC, SPIFFE/SPIRE, and SCIM.
  • The OpenID Foundation's OIDC-A 1.0 proposal extends OpenID Connect with agent-specific claims for delegation-chain verification and fine-grained authorization.

Analysts expect these to stabilize within 12 to 18 months. The practical takeaway for any team building today: architect for interoperability with these standards, not a proprietary lock-in.

A practical playbook you can start this quarter

You do not need to wait for the standards to finalize. The following steps map directly to where the risk concentrates.

1. Discover before you govern

You cannot secure what you cannot see. Begin with a complete inventory of every agent across every deployment pattern — cloud, SaaS, and on-prem. Without enumeration, every downstream control is incomplete. Build a registry that records, for each agent: owning team, human sponsor, systems accessed, privilege scope, and expiration date.

2. Kill static credentials

Replace long-lived API keys with short-lived, individually scoped credentials. The two workhorses:

  • For user-delegated agents, use OAuth 2.0 On-Behalf-Of flows so the agent acts with the user's scoped permission, not a god-mode key.
  • For autonomous machine agents, issue SPIFFE/SPIRE SVIDs — cryptographic identities that rotate automatically and cannot be copied out of a config file.

3. Adopt Zero Standing Privilege

The most important architectural shift: agents get no persistent access to sensitive resources. Permissions are granted just-in-time for a specific task, then automatically revoked. A compromised agent at rest has access to nothing. This single pattern neutralizes the over-permissioning that affects 90% of deployments.

4. Put humans at the high-consequence checkpoints

Full autonomy is not the goal everywhere. Insert human-in-the-loop verification before an agent executes a financial transaction, changes a production configuration, accesses regulated data, or sends an external communication. Autonomy for the routine, a checkpoint for the irreversible.

5. Build the kill switch before you need it

Write the incident-response playbook now: how to identify an agent's activity mid-incident, how to revoke its credentials without taking down dependent services, how to reconstruct what it did forensically. An instant, surgical kill switch is the difference between a contained event and a breach.

What this means for MENA businesses

For organizations across Tunisia, Saudi Arabia, and the wider MENA region, agent identity is not a far-off enterprise problem — it is the entry ticket to deploying AI safely under tightening data-protection regimes. Saudi Arabia's PDPL and similar frameworks treat unauthorized data access as a compliance failure regardless of whether a human or an agent caused it. An over-permissioned agent that reads customer records it never needed is a reportable incident.

The good news: organizations adopting AI now can build identity governance in from day one instead of retrofitting it onto a sprawl of shadow agents. Treat every agent as a first-class, short-lived, narrowly scoped identity from the first deployment, and you skip the cleanup crisis that larger, earlier adopters are now living through.

The bottom line

AI agents are privileged insiders that you provision in seconds and forget in minutes. The 82-to-1 ratio is only going to grow, and the security model has to grow with it. The organizations that win in 2026 are not the ones that deploy the most agents — they are the ones that can answer, at any moment, who their agents are, what they can touch, and how to shut them off.

Start with discovery, kill the static keys, grant privilege only when it's needed, and keep a human at the irreversible decisions. That is what agent identity looks like when it's done right.

Building AI agents into your business and want them governed from day one? Noqta helps MENA organizations design secure, identity-aware agentic systems. Get in touch.