The Identity Crisis at the Center of Everything
Enterprise AI agents are deploying fast with borrowed identities and almost no security governance.
The Identity Crisis at the Center of Everything
This week, three separate research tracks converged on the same problem. Enterprise AI deployment is accelerating. Security approval is not. The gap between those two curves is where the real story lives — and it’s getting harder to ignore.
The through-line is trust
Everyone in this industry has been talking about agents for 18 months. What actually shipped this week tells a more specific story.
Oracle moved OCI Enterprise AI Agents to General Availability on March 31 — full-stack, OpenAI Responses API compatible, native MCP tool calling, agent-to-agent comms, project-level workload isolation. Production infrastructure, available now. Google shipped ADK Go 1.0 the same day: OpenTelemetry tracing baked in, self-healing tool-call retry, human-in-the-loop gates for sensitive operations. The framework consolidation is also hardening — LangGraph at 47M monthly downloads, Microsoft’s unified AutoGen/Semantic Kernel GA’d in Q1, CrewAI as the fastest prototype path.
The deployment layer is ready. The governance layer is not. That’s the actual news.
Gravitee’s State of AI Agent Security 2026 report surveyed 900+ practitioners and found that 80.9% of technical teams are past planning — actively testing or in production. Only 14.4% of those agents went live with full security or IT approval. The Cloud Security Alliance survey of 285 security professionals found 37% are making up agent identity management as they go. BeyondTrust’s Phantom Labs telemetry shows a 466.7% year-over-year increase in AI agents operating inside enterprise environments, many carrying administrator-level privileges, almost none subject to centralized governance.
That last number is the one to sit with. Nearly five times as many agents as a year ago. Governed like it’s still 2019.
The identity gap is structural, not procedural
Here’s what’s actually breaking down: agents aren’t getting identities. They’re borrowing them.
Only 22% of teams treat agents as independent identities. The rest share human credentials or static API keys. That architecture was already a bad practice for service accounts. For autonomous, multi-step agents with tool-calling capabilities, it’s something closer to a structural vulnerability.
The problem isn’t just that agents are over-permissioned at deploy time. It’s that their permission needs aren’t predictable at deploy time. An agent that summarizes documents on Tuesday might need filesystem access, external API calls, and database writes by Thursday, depending on what a user asks it to do. Static access models aren’t designed for dynamic decision-making. They were designed for services that do one thing.
At RSAC 2026, the major platform vendors each planted a flag. Cisco shipped agent discovery inside Cisco Identity Intelligence, agentic IAM in Duo, and MCP policy enforcement in Secure Access — plus an open-source secure agent framework called DefenseClaw. Microsoft announced a Security Dashboard for AI in Entra targeting CISO-level visibility across agent risk. SailPoint centered its entire RSAC presence on Agentic IGA — a module for governing agent privilege creep — and called NHI its fastest-growing segment. ($342M in Q4 revenue, ARR crossing $1.35B, +31% YoY. The market signal is in the financials.)
The attack surface is already real. Two exploitable CVEs — SSRF and arbitrary file write, no authentication required — were documented in a Model Context Protocol connector with over 4 million downloads. OWASP named and cataloged the MCP trust-boundary attack class in February. No major vendor ships mutual agent-to-agent authentication as a production control yet. The IETF draft describing how to build it is still a draft.
Gartner’s projection that 40% of agentic AI projects will be cancelled by 2027 doesn’t blame the models. It blames governance failure.
What this means for the advisory market
The Big Four spent over $10 billion building AI practices since 2023. PwC is OpenAI’s largest enterprise customer. KPMG has a $2B Microsoft alliance. And enterprise clients are still openly frustrated — one CIO’s quote making rounds this week: they won’t keep paying $500K for a report generated largely by a machine.
The structural gap is visible. Large firms have AI strategy capability and security audit capability, but almost no one has the practitioner who can bridge AI deployment decisions to non-human identity governance in a single conversation. Security-only advisors can’t frame the agent architecture. AI-only strategists can’t secure it.
McKinsey projects CISO budgets allocated to AI solutions will triple — from 4% to 15% — over three years. The AIUC-1 Consortium found 64% of companies over $1B in revenue have already lost more than $1M to AI failures, with an estimated 1,200 unofficial AI applications per enterprise and 86% reporting no visibility into their AI data flows.
That’s not a technology problem waiting for better infrastructure. Oracle and Google just shipped the infrastructure. That’s a mandate-ready advisory gap: agent inventory, privilege architecture, behavioral monitoring, incident response playbook. Fixed fee. Defined deliverable. In and out.
The practitioners who close that gap in Q2 will be oversubscribed by Q3.
What to watch
-
Whether MCP gateway security becomes a mandatory enterprise control category. Two CVEs in a 4M-download connector is the kind of incident that converts CISO pilot programs into procurement requirements. The first confirmed enterprise breach traced to an MCP trust-boundary exploit will be the catalyst. Watch CyberArk, Oasis, and Astrix for the first production mutual agent-to-agent authentication control before the IETF draft finalizes.
-
Identiverse 2026 as the competitive response moment. SailPoint’s Agentic IGA module and Cisco’s DefenseClaw announced at RSAC will force Okta and CyberArk to show their hands. The emerging battleground isn’t credential issuance — it’s runtime governance of active agent sessions. What ships at Identiverse will tell you where each platform actually stands.
-
NIST’s NCCoE AI Agent Standards Initiative moving from concept paper to published practice guide. When that guidance drops, it triggers compliance requirements in financial services and healthcare ahead of EU AI Act full applicability in August 2026. The organizations building agent IAM infrastructure now — scoped ephemeral tokens, JIT access, per-agent least-privilege, immutable tool-call audit trails — are the ones that won’t be scrambling in Q4.
This week’s sources
- OCI Enterprise AI Agents GA — Oracle Release Notes
- Announcing GA of OCI Enterprise AI — Oracle Blog
- ADK Go 1.0 Arrives — Google Developers Blog
- State of AI Agent Security 2026 Report — Gravitee
- How Treating AI Agents as Identities Can Reduce Enterprise AI Risk — Security Boulevard / Sonrai
- The AI Agent Identity Crisis: New Research Reveals a Governance Gap — Strata Identity / CSA
- Meta’s Rogue AI Agent Passed Every Identity Check — VentureBeat
- BeyondTrust Phantom Labs: Enterprise AI Agents Growing 466.7% YoY — Intelligent CISO
- Cisco Reimagines Security for the Agentic Workforce — RSAC 2026
- Secure Agentic AI End-to-End — Microsoft Security Blog
- SailPoint at RSAC 2026: Adaptive Identity Security and Agentic IGA — Yahoo Tech
- CSA / Oasis Security: State of NHI and AI Security Survey Report
- Securing AI Agents: The Defining Cybersecurity Challenge of 2026 — Bessemer Venture Partners
- Securing the Agentic Enterprise — McKinsey
- AI Went From Assistant to Autonomous Actor and Security Never Caught Up — Help Net Security
- NIST Launches AI Agent Standards Initiative — Pillsbury Law
- 2026 Consulting’s AI Revolution Update — Future of Consulting
- What 2026 Holds for Consulting & IT Services — TBR Insights Live