Robert Bobel, founder & CEO of Cayosoft, is dedicated to helping organizations succeed by modernizing IT with innovative hybrid technologiesgetty​For years, identity has been treated as a stable control point in enterprise security. Users were known, access followed defined processes and governance operated within systems that organizations understood well enough to manage. That model is now breaking down.As AI moves into production environments, identity extends beyond people. Legacy nonhuman identities (NHI), including service accounts, API keys, tokens and workload identities, have been around for a while, but now another NHI is on the rise and outpacing controls designed to govern them—the AI agent identity. For CIOs and CISOs, an agent identity is no longer infrastructure, but it is now a participant in how work gets done and how risk is created.From Tools To Actors: The New Agent Identity RealityNonhuman identities have long supported automation across applications and infrastructure. They executed narrow tasks, followed predefined rules and required explicit human setup for access decisions. Security models and executive oversight were built around that assumption.That assumption no longer holds. An AI agent identity can reason, choose and delegate access. Every new AI agent, integration or automated workflow introduces credentials, permissions and access pathways, driving growth in identities and secrets beyond what traditional identity programs were built to handle. Identity is no longer just a permissions problem; it’s becoming a decision-making layer for software.Even organizations still experimenting with AI are already seeing the pattern emerge. As agents become embedded in everyday workflows, nonhuman identities multiply quickly. Unlike human users, they do not follow predictable lifecycle patterns. They are created on demand, frequently duplicated, rarely retired and often overprovisioned. Over time, this creates a sprawling and poorly understood identity layer beneath critical systems.How Speed And Autonomy Are Changing The Risk ModelAI adoption is being driven from the top, fueled by competitive pressure and the promise of efficiency gains. Teams are encouraged to move quickly, often prioritizing functionality over control. In that environment, security becomes reactive.Developers and business units can now spin up agents, connect them to systems and grant broad permissions simply to ensure things work. Credentials are created, shared and often forgotten, with little clarity around ownership once an experiment ends. The result is a growing pool of orphaned accounts, unused secrets and overprivileged identities, each representing a potential entry point for attackers.The risk escalates further as AI systems move from passive to active roles. Many deployments today focus on analysis or retrieval, where exposure is tied to sensitive data. That exposure increases once systems are allowed to take action.As AI becomes more agentic, it is given the ability to reset passwords, modify records, trigger workflows and interact directly with infrastructure. Risk expands with those capabilities. Access alone no longer captures the full picture, since these systems can execute tasks directly inside core environments without a human anchor.Unlike traditional software, these systems are not strictly deterministic. They can misinterpret inputs, act on incomplete context or produce unintended outcomes. They can also be manipulated. For security leaders, evaluating identity now includes understanding how these systems behave in practice, not just what permissions they hold, and determining who is accountable for the decision.A Growing Governance GapGovernance has not kept pace with this shift. Identity governance for human users has matured over decades, with established processes for onboarding, offboarding and access reviews. That same rigor has not been consistently applied to the agent identity.In many environments, governance remains reactive, with issues addressed through audits or cleanup efforts after problems surface. This approach does not align with the speed at which identities are being created and modified. Visibility is often incomplete, and ownership is frequently unclear. When an AI-driven process performs an action, accountability can span multiple teams, leaving no single point of responsibility.It is tempting to consider an AI agent identity within the same underlying access mechanisms as user accounts, but their scale introduces new challenges. The volume of identities is growing faster than most organizations can track in real time, and even mature identity programs struggle to maintain an accurate inventory of what exists and what remains necessary. As visibility declines, exposure increases, often without clear signals.Rethinking Agent Identity For The AI EraAddressing this challenge requires a shift in how identity is treated across the enterprise. Human and nonhuman identities operate within the same environment and require consistent oversight.Every identity should have a defined purpose and a clearly assigned owner. Without ownership, governance breaks down. Lifecycle management must extend to nonhuman identities, including provisioning access with least privilege, continuously validating permissions and decommissioning identities that are no longer needed. Access reviews must expand beyond human users to account for the full identity landscape. Simply buying a new software tool for nonhuman identities won’t help if your existing practices don’t support these new and evolving requirements.Organizations must also move beyond policy definition as the primary mechanism for control and think about strengthening enforcement. Most already have policies governing access and data handling, but those policies often erode under operational pressure. Teams prioritize delivery, controls are bypassed and sensitive data is handled in ways that would not be acceptable under normal conditions.Controls that operate independently of individual decision-making are more effective in this environment. Technologies such as real-time monitoring and automated identity governance workflows help reduce exposure by limiting what can occur.Organizations also need to plan for failure in a different way. As automated systems take action, there must be a way to trace those actions, investigate outcomes and intervene when necessary. Without that capability, issues can escalate quickly and remain undetected.AI is redefining identity within the enterprise. Organizations that adapt to this shift will be better positioned to manage both the risks and opportunities that come with automation at scale. Others will continue to operate with incomplete visibility into systems that are already active.In the AI era, identity risk increasingly reflects what systems are capable of doing with the access they have.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?