AI agents are no longer a future problem. They're showing up in production environments faster than identity teams can build governance for them. That's the dominant theme of the Q1 2026 IDU Wisdom Report, drawn from four sessions with identity security executives and practitioners across three regions.
Across four sessions and three regions, executives and practitioners working at the front lines of identity security said the same thing in different words: AI agents are no longer a future problem. They’re an operational reality. And the tools we built for human identities and static service accounts are not the tools that will govern them.
The Identity Underground is a community of identity security leaders who meet quarterly under Chatham House rules to compare notes on what’s working. Each quarter, the most important themes get distilled into a Wisdom Report. This is the public summary of Q1 2026.
Seven themes emerged. Here are the six that mattered most.
AI agents are actors, not tools. And we keep treating them like service accounts.
The dominant theme across every executive session was unequivocal. AI agents aren't a faster bot. They're not a richer machine identity. They're a reasoning, goal-based, adaptive actor that combines the worst security properties of humans and machines in a single package.
The data backed it up. 75% of machine accounts have no designated human owner. 83% of enterprises have already had a machine account takeover. Frameworks like Reveal, Assign, Interpret, Secure, Evaluate (RAISE) gave the room a structure to push back with.
But the framing that landed hardest came from a single line in the room: “Quarterly access reviews become meaningless when an agent’s access needs change on a daily or even hourly basis.”
That’s the gap. It’s architectural, not tooling. Traditional IGA was built for static actors with predictable behavior. Agents learn, adapt, expand their scope, and delegate to other agents. All without anyone clicking approve.
Sound familiar?
The dangerous part isn't the agent. It's the agent talking to other agents.
Multiple executives flagged agent-to-agent delegation as the most dangerous emerging pattern. Someone called it “AD group nesting on steroids.” Transitive trust chains where accountability dissolves across multiple agents, each making micro-decisions that aggregate into outcomes nobody authorized.
Another session pushed it further. One participant asked the question that defined the rest of the discussion:
“It may be 100 tiny breadcrumbs, but once you string them in the right order, you get a process that gets an outcome that was never intended across those 100 breadcrumbs.”
If collusion between humans requires segregation of duties, what happens when agents can collude at machine speed across thousands of micro-permissions?
We don’t have an answer yet. We have a principle.
Every AI agent must have a human owner. No owner, no deploy. As one executive put it: “Would you hire 10 people to work in your organization, and they did not have any direct manager?” Ownership cannot stay in a metadata field. It has to be elevated as a security control.
Security rarely fails because the technology is wrong. It fails because we never told the story.
Storytelling wasn’t supposed to be the breakout theme of an executive session on identity security. But a senior practitioner from a major financial services organization made the case in a way that landed for the entire room.
We’re fluent in controls, audit findings, and architecture diagrams. The board speaks revenue, reputation, and risk. The translation problem is the bottleneck.
His framework: every security story needs five elements. Character. Conflict. Consequences. Control. Call to action. The without/with storytelling example landed for the entire room:
Without: “A VPN password without MFA caused ransomware.”
With: “One forgotten VPN account stopped fuel in half the US. Cars lined up at gas stations, panic buying began, and it all started with one stolen password.”
Same incident. Different impact.
One executive in the room captured the principle perfectly: “If you cannot tell the story to people at all levels, they don’t buy into the dream of what you are trying to do.”
The room also drew a line. Fear works once. Maybe twice. Use it every year and the board tunes you out. The consensus was clear: lead with consequence and vision, not with fear.
“Click without fear.” Passwordless is no longer aspirational.
One session got concrete. A senior identity leader walked the room through what identity looks like when it’s treated as an internal service rather than a compliance function.
His team doesn’t enforce. They market. They run an identity integration squad whose only job is onboarding new entities. They publish acquisition playbooks with cost chargebacks. They built passwordless on a principle he calls click without fear: if a phishing email lands and someone clicks, there’s nothing to give the attacker. No password to steal.
His framing landed: “If you’re not providing this as a service, if you come to the business and say I can’t do that for you because of a technological limitation, then we’re not enabling the business.”
Another session brought the counterpoint. A team responsible for hundreds of applications, with a fraction of the headcount, juggling multiple disconnected request systems and managers approving access to systems they couldn’t track. Self-service was so complex that users needed help with self-service. Onboarding took weeks. Some staff didn’t even know IAM existed.
Same job. Wildly different outcomes. The difference isn’t budget. It’s positioning.
Another senior identity leader connected the two realities with one word, when asked how he secures buy-in: marketing. “That constant marketing is necessary for you to turn it into a service.”
Audit-led identity always fails
Another session opened with a provocation from a 20-year identity implementation veteran. Automating the old paradigm doesn’t solve the problem. It just makes the broken process faster.
His data backed it up. Only 46% of organizations rate their IAM platforms as highly effective. 74% still rely on manual workflows. More than 50% of elevated privileges are not under active control.
The industry has been spending more on identity. The results haven’t moved.
His proposed shift is the takeaway: ephemeral privilege by design. Every permission should be just-enough, just-in-time, time-bound. Identity has to come before access. Decisions belong at execution time, not provisioning time. Continuous policy enforcement should replace the periodic review.
And then came the sharpest paradox of the quarter. An executive reported that their organization is failing customer audits because they’re passwordless. Their security posture is too modern for auditors still measuring password rotation policies.
A senior identity leader’s response cut through the room: “The audit-led view of identity always fails. I’ve spent my career helping people out of that hole.”
Focus on what kills your business. Not what makes an auditor check a box.
Persistent identities. Ephemeral authentication.
The Practitioners session went somewhere the executive sessions didn’t. Authentication architecture.
A four-tier taxonomy gave the room shared vocabulary. Tier 1 assistive tools at the bottom. Tier 2 AI-enabled automation. Tier 3 autonomous agents. Tier 4 AI-to-AI ecosystems. The core argument:
“You cannot govern Tier 3 to 4 agents with Tier 1 to 2 controls. Most organizations are still trying. It’s a square peg in a round hole.”
Then a practitioner pushed back. Hard. Fundamentals still hold. Permissions are permissions. AI doesn’t break access control. It shows the parts we never finished.
Both views were right. That’s why the conversation kept moving toward SPIFFE and transaction tokens. Tokens valid only for the lifespan of a single transaction, not the session. The principle the room landed on:
Persistent identities with ephemeral authentication. Don’t make the identity temporary. Make the proof of identity temporary.
One declaration landed: “We as practitioners should not be managing secrets. We should be managing AI.”
The shadow AI conversation got energy too. SaaS vendors injecting AI capabilities into existing tools without telling customers. One moderator’s example: a major collaboration vendor began silently shipping AI features to all customers, and the only way it got caught was through vulnerability management feeds. Not identity governance. Not procurement. Vulnerability feeds.
That’s the gap. We don’t see what’s running inside the tools we already bought.
Here's what connects all of it
When you read the themes side by side, a single thread emerges.
The identity surface area is expanding faster than governance can follow. Agents reason. Tokens evaporate. Tools quietly turn AI on overnight. The language of identity security is being rewritten in real time.
But underneath the noise, the room kept circling back to the same first principles. Visibility precedes control. Ownership matters more than tooling. Governance at machine speed requires architecture, not just policy. And the ability to tell the right story to the right audience is the most underrated skill in our toolkit.
If your quarterly review is still the primary control for an actor that changes its access needs hourly, you’re not behind on tooling. You’re behind on architecture.
That’s how identity security gets sharper. One quarter at a time.