The invisible workforce – why AI agents need new identity rules

Wednesday 27 May 2026 2:00 pm

| Updated:

Wednesday 27 May 2026 11:59 am

As organisations across the UK deploy AI agents and autonomous workflows, they’reintroducing a new class of digital actor into the enterprise – one that doesn’t authenticate like aperson and doesn’t follow the rules we’ve built for human users. The scale of this shift hasalready triggered structural warnings at the highest levels, with the Bank of England launchingtargeted investigations into the systemic risks of autonomous AI trading agents operatingwithout human intervention. These agents execute tasks across systems, access data, andmake decisions with the same privileges as your employees. Yet most organisations lack aframework to govern them with equivalent rigour.Scale has already outpaced governanceThe scale of this shift is already clear. According to Okta’s latest Businesses at Work report,service accounts (the non-human identities that power automation and agentic workflows) havegrown by 650 per cent year-on-year. This isn’t gradual growth, it’s an explosion – andgovernance hasn’t kept pace. Across organisations globally, 78 per cent cite access andpermissions management as their top non-human identity challenge, and 90 per cent lack acomprehensive strategy to govern these actors at all.Enthusiasm versus readinessEnterprise enthusiasm for agentic AI is high, with Okta’s research showing that 91 per cent oforganisations currently use AI agents. But most organisations remain in early or limited stagesof deployment, reflecting recognition that governance, compliance and identity risks must beaddressed before agents can scale safely. The gap between ambition and readiness isapparent. Many organisations are adding service accounts and agent credentials without equalattention to lifecycle management or permission boundaries. This is creating a growinginventory of non-human identities in the UK, with privileges that are rarely questioned and oftenremain active long after their original purpose has expired.Identity frameworks built for people, not agentsThe fundamental problem is that identity governance frameworks were built for people.Organisations manage user access through role-based models, periodic reviews andmulti-factor authentication. These mechanisms assume human accountability and periodicinteraction. Non-human actors don’t behave this way. An AI agent or service account doesn’trequest access or prompt a review cycle. It simply continues executing with whateverpermissions were granted at the start, often across multiple systems and environmentssimultaneously.Traditional privileged access management tools help, but they were never designed for thisscale or speed. When service account sprawl accelerates beyond an organisation’s ability totrack it (let alone audit it) blind spots emerge. Agents gain access to critical databases andconfidential systems. They escalate permissions through automation workflows. They persist inproduction long after the business case that justified them has changed.Organisational silos amplify the problemThe challenge is exacerbated by how organisations currently approach identity. Manyenterprises separate human and non-human identity governance entirely, treating serviceaccount management as an infrastructure problem rather than a strategic control point. Thiscreates silos where identity teams may have limited visibility into which agents are active, whatthey’re accessing or how their permissions are being used. Security teams lack automatedenforcement and audit teams struggle to trace which autonomous action came from whichagent identity. For UK organisations facing growing regulatory scrutiny, these visibility gapscarry real compliance risk.What needs to change?Governing agents in the era of autonomous AI requires a different approach. It means treatingnon-human actors as equal governance subjects to human identities, and establishingframeworks that provide the same protection and governance rigour for agents as for users.Ultimately, it comes down to these key questions: Which agents are active? What are theyaccessing? Are those permissions appropriate and regularly reviewed? What happens when anagent’s role or tenure ends?Organisations that build this capability now will have an advantage. They’ll reduce lateralmovement risk by ensuring agents operate with least privilege. They’ll simplify compliance bymaking non-human access transparent and auditable. They’ll be able to onboard and retireagents safely as agentic workflows evolve. Those that treat non-human identity governance asa technical afterthought will find themselves managing an expanding, ungoverned network ofdigital actors – each a potential vector for data exposure or compliance violation.What comes next?The security perimeter is changing. It’s not just about where your people sit anymore. It’s aboutall the actors – human and non-human – operating within it. With the UK’s ambitions to becomea global AI superpower, organisations that treat non-human identity as a governance foundation(not an infrastructure afterthoughts) will be the ones actually ready to scale AI safely.