The accelerating rise of AI agents and the surge in non-human identities (NHIs) that they’re helping to feed are expanding the attack surface for enterprises and are forcing corporate security teams and security services providers to develop new ways to
manage and protect identities.
The rapidly changing identity security environment has been a focus of recent reports about AI and cyber risks, with researchers warning that traditional security tools can’t address the growing challenges. And while the scope of the problem was coming into focus in 2025, this year promises an escalation.
“The more autonomous and interconnected these AI agents become, the larger the attack surface they create,”
Lavi Lazarovitz, vice president of cyber research for security vendor
CyberArk,
wrote in a blog post late last year. “By 2026, we won’t just be experimenting with AI agents; we’ll be relying on them. This shift requires us to think differently about identity, access, and security. It’s not just about machines anymore; the very nature of human identity is also under pressure.”
Organizations need to think of AI agents as a “new class of digital coworkers,” Lazarovitz wrote. “Unlike traditional automation or bots that follow a rigid script, AI agents can make decisions, learn from their environment, and act autonomously to complete complex tasks. ... Their adoption is accelerating. By 2027, multi-agent environments are expected to be the norm, with the number of agentic systems doubling in just three years.”
Erik Trexler, senior vice president of public sector for
Palo Alto Networks, sees similar challenges in government security.
“The biggest shift in 2026 will be the collapse between ‘identity’ and ‘attack surface,’” Trexler
wrote last month, pointing to deepfake technologies and AI-generated voices and video. “Machine identities continue to proliferate; they will outnumber human identities this year. And autonomous agents can initiate high-impact actions without human oversight. This reflects a broader crisis of authenticity now reshaping how enterprises defend identity itself.”
Identifying the Challenges
A
report last week by the
Cloud Security Alliance and identity security specialist
Oasis Security that focused on NHIs and AI security found a cybersecurity industry trying to catch up to the coming flood of non-human identities. According to the report, 78% of organizations don’t have formal policies for creating or removing AI identities, 92% aren’t confident their legacy identity and access management (IAM) tools can effectively manage the risks AI and NHIs bring, and 79% said they had moderate or low confidence in their ability to prevent NHI-based attacks.
“AI turns identity into a high-velocity system,” Oasis co-founder and CEO
Danny Brickman said in a statement. “Every new agent, workflow, or integration can mint credentials and permissions in minutes. Too many organizations still govern that with spreadsheets and unsophisticated processes. That’s not an AI strategy – that’s an incident backlog.”
The Gap Between Agent Adoption, Security
A
report from digital trust firm
Keyfactor last week also highlighted the gap between companies’ push for agentic AI adoption and their ability to securely authenticate, govern, and trust autonomous systems that are in their environments.
Keyfactor found that 85% of cybersecurity pros expect digital identities for agents will be as common as human and machine identities within five years, while 86% said that without unique and dynamic digital identities, AI agents and other autonomous systems can’t be fully trusted.
In addition, while acknowledging AI-based vulnerabilities, only have of security pros have governance frameworks to address them and 28% believe they can prevent a rogue agent from causing damage. There’s also a disconnect in executive suites: agentic AI security is a board-level priority, but 55% of those surveyed said their leadership is not taking the threat of AI agents seriously enough.
Identity Governance, Data Controls are Key
Similarly, analysts with identity security firm
Netwrix’s Security Research Lab said in its
outlook for 2026 and beyond that organizations will need to adopt unified visibility across identity and data security and deploy strong identity governance and data controls that work together to protect themselves against the security threats that the proliferation of AI and agents will bring.
“AI-driven environments dramatically increase identity complexity,”
Ken Tripp, director of Netwrix’s managed services program, told MSSP Alert. “Access is no longer limited to human users, but extends to service accounts, automation, and non-human identities that often accumulate excessive or hidden privileges. These identities frequently have broad access to sensitive data and are difficult for customers to track on their own.”
That’s where MSSPs and MSPs can make a difference, Tripp said. They’re responsible for turning identity and data security into an ongoing operation, not a one-off initiative.
“As AI-driven access and automation increase complexity across environments, customers rely on service providers to continuously manage who and what can access sensitive data, how that access is changing, and where risk is building,” he said.
Three Core Realities for MSSPs
MSSPs need to focus on three key realities, Tripp said, including that visibility is foundational.
“Providers must clearly see who and what has access to sensitive data, how that access is being used, and where exposure exists across both human and non-human identities,” he said.
In addition, most risk is structural, and identity-related risk usually is created through misconfigurations, excessive permissions, and a lack of governance, all of which are accelerated by AI.
The last is that control has to be continuous.
“One-time reviews are not enough,” he said. “Least-privilege enforcement, monitoring, and compliance must operate as an ongoing cycle as environments evolve.”
Tripp added that “by bringing identity and data security together and delivering services aligned to this lifecycle, MSSPs can reduce client exposure, protect their own operations, and position themselves as long-term security partners in increasingly automated and AI driven environments.”
