AI Agents Are Taking Over Enterprise Systems. Nobody Knows Who They Are.

A four-hour outage. A room full of people who couldn't say which human authorized the last action. A new six-stage model explains why AI agents are breaking identity security, and what it takes to fix it.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial 16:9 image: a vast, dimly lit enterprise server room with rows of glowing rack-mounted servers extending into the distance, blue and wh
Share

Key points

  • A single AI agent with unchecked access to a production system caused a four-hour outage during a 2025 client engagement, and no one could identify who had authorized its last action.
  • Security researcher KuppingerCole's 2026 Leadership Compass found that non-human identities (accounts used by software, not people) now outnumber human user accounts in many companies by 25 to 50 times.
  • The OWASP GenAI Security Project, which tracks risks in AI systems, listed identity abuse among its top four dangers for AI agents in its 2025 taxonomy.
  • A joint advisory from CISA, NSA, and the intelligence agencies of Australia, Canada, New Zealand, and the UK, published 1 May 2026, named unchecked AI agent privileges as the foundational security concern.
  • A new six-stage maturity model, detailed in CSO Online, gives organizations a clear ladder from "invisible and dangerous" to "auditable and contained."

Last year, during a security review, an AI agent quietly pushed a broken configuration to a company's server management system. The system went down. For four hours. When the review team asked which human had approved the agent's last decision, no one in the room had an answer.

That question went unanswered in three separate client engagements across three industries. The same gap, three times over.

The agent in each case was registered in the company's identity system, which is the software that tracks who or what has access to which resources, as a service account. A service account is a digital identity assigned to a piece of software rather than a person. This one had a permanent access key, no multi-factor authentication (the extra verification step that makes stolen passwords useless on their own), and no quick way to shut it off.

How did nobody notice this was a problem?

They noticed AI. They missed identity.

Every major company is adding slides about AI agents to its strategy decks. Far fewer are asking the harder question: in the systems that control access, who exactly is this agent? What is it allowed to do? And can we cut it off in seconds if something goes wrong?

Gartner's Top Cybersecurity Trends 2026, written by Director Analyst Alex Michaels, calls out both problems by name. One is about strategy. The other is about control. Auditors and regulators will ask about control.

Traditional service accounts do one narrow job: fetch a backup, run a report. Their permissions are set once and rarely change. An AI agent is different. It receives a goal, figures out its own steps, calls whatever tools it judges useful, and produces a result nobody scripted in advance. That flexibility is the point. It is also the danger.

KuppingerCole's 2026 Leadership Compass on non-human identity management notes that the tools companies use to manage who gets access were built for humans joining, moving between, or leaving jobs. They were never designed to track thousands of AI agents at scale.

OWASP, the nonprofit that publishes widely used security checklists, catalogued the resulting risks in its 2025 Agentic AI Threats taxonomy. Three of the four highest-rated dangers are identity problems: software agents misusing their tools, agents abusing inherited permissions, and agents drifting outside their intended behavior.

Six minimum requirements must be met before any AI agent goes live in a real production environment. Each agent needs its own unique identity, no sharing. It must act on behalf of a named human, not on its own authority. Access keys must expire within an hour. Every action must be logged with a timestamp and a record of who instructed it. Identity must be re-checked regularly during long tasks. And the organization must be able to cut the agent off within seconds.

If a company cannot meet all six, it does not have a governance problem. It has a readiness problem. The agent should not go live.

The six-stage maturity model built around these requirements runs from Stage 0 (agents exist but are completely invisible to security teams) up to Stage 5 (anomalies are caught automatically and trigger instant review or shutdown). Stage 3 is the minimum defensible position. Below it, deployment is not something a board, a regulator, or an incident review team should accept.

For ordinary employees, the practical takeaway is straightforward. If your organization is rolling out AI tools that take actions on your behalf, including booking meetings, sending emails, or modifying files, ask your IT team whether those tools have unique identities, expiring access, and a documented off switch. Those are not technical questions. They are accountability questions. And someone in your organization needs to be able to answer them.

© 2026 Threat Vectr