Governance Gaps Emerge as AI Agents Drive 76% Increase in Non-Human Identities

The rapid adoption of AI agents in enterprise workflows is outpacing security efforts, according to a new report from the SANS Institute. The organization’s 2026 State of Identity Threats & Defenses Survey, based on interviews with over 500 security professionals worldwide, reveals that non-human identities (NHIs)—such as service accounts, API keys, and automation bots—have surged by 76% across most organizations. This growth is largely driven by agentic AI, with 74% of companies already deploying AI agents that require credentials. However, the study warns that AI agents governance gaps are leaving enterprises vulnerable to new security risks.

The Rise of Non-Human Identities and Agentic AI

Non-human identities are quietly multiplying within organizations, often doubling or tripling in number. This explosion is tied to the increasing use of agentic AI systems, which operate autonomously and need access permissions to interact with critical infrastructure. Unlike traditional NHIs that follow fixed logic, agentic AI interprets instructions and can take unpredictable actions. This makes them behave like over-privileged insiders, but at machine speed—a scenario that introduces risks like hallucinations and unauthorized data access.

As a result, the SANS Institute highlights a pressing need for NHI governance frameworks. Without proper controls, these identities can become vectors for breaches. Forrester Research warned last year that an agentic AI deployment will cause a publicly disclosed data breach by the end of 2026, urging organizations to adopt a “minimum viable security” approach.

Credential Hygiene Failures Expose Weaknesses

One of the most alarming findings from the survey is the widespread credential hygiene failures in managing NHIs. A staggering 92% of organizations fail to rotate machine credentials on a 90-day cycle, fearing that this might disrupt service accounts. Most (59%) rotate fewer than half of their NHI credentials quarterly, while 15% don’t even know their rotation rate. Additionally, 5% of respondents are unaware if their organization is running agentic AI at all.

These gaps are compounded by reliance on manual processes. Many organizations still use ticket-based provisioning and periodic access reviews, which simply cannot scale when environments have large volumes of NHIs operating across DevOps, cloud, and SaaS systems. Effective NHI security strategies require automation and centralized oversight.

AI Governance Lags Behind Deployment

The SANS study underscores that most organizations lack a coordinated security-first approach to AI deployment. Richard Greene, a certified instructor at SANS Institute, warns: “We’ve already seen what happens when non-human identities scale without guardrails, and agentic AI is moving even faster.” He notes that while some progress is visible—nearly 40% of organizations now use human-in-the-loop approvals for AI agent actions—the real challenge is staying ahead as these systems shift from pilots to core operations.

To bridge these AI agents governance gaps, the SANS Institute recommends adopting secrets vaults, automated credential rotation, and scoped least-privilege access. However, scaling these measures to match the continued growth of NHIs is critical. Zero-trust principles for NHIs can help mitigate risks by limiting permissions and enforcing continuous monitoring.

Recommendations for Closing the Governance Gap

Building on these findings, organizations must prioritize several actions to address NHI governance challenges. First, implement automated credential management to eliminate manual rotation failures. Second, enforce least-privilege access for all AI agents, ensuring they only have permissions necessary for their tasks. Third, establish human oversight mechanisms, such as approval workflows for high-risk actions. Finally, conduct regular audits to detect unknown NHIs and assess their behavior.

As agentic AI continues to evolve, the need for robust governance frameworks becomes urgent. Without them, the 76% increase in NHIs could translate into a proportional rise in security incidents. Building a comprehensive AI security framework is no longer optional—it’s a business imperative.