Survey Reveals 73% of Enterprises Lack Clear Ownership of AI Agent Access, Raising Identity‑Management Risks
What Happened — A Cloud Security Alliance survey of 228 IT and security leaders shows that AI agents are now embedded in core production systems at 85% of organizations, yet ownership of their identities and access controls is fragmented across security, development, engineering, and IT teams.
Why It Matters for TPRM —
- Unclear ownership creates blind spots for third‑party risk assessments, especially when AI agents consume external APIs or SaaS services.
- Inconsistent identity assignment (shared service accounts, human‑user identities, or undocumented accounts) increases the likelihood of credential misuse and lateral movement.
- Rapid adoption (73% expect AI agents to become critical within 12 months) outpaces governance, exposing supply‑chain and data‑privacy risks.
Who Is Affected — Enterprises across all sectors that deploy production‑grade AI agents, particularly technology‑focused firms, SaaS providers, and organizations with extensive CI/CD pipelines.
Recommended Actions —
- Conduct an inventory of all AI agents and map their authentication mechanisms.
- Assign a single governance owner (preferably IAM) for AI‑agent identity lifecycle management.
- Implement strict least‑privilege policies and separate service accounts for each agent type.
- Integrate AI‑agent activity logs into existing SIEM/UEBA platforms to distinguish machine vs. human actions.
Technical Notes — The survey highlights fragmented identity practices: 52 % of agents use generic application/workload identities, 43 % rely on shared service accounts, 31 % operate under human user accounts, and 12 % are undocumented. Agents most often interact with internal APIs (56 %) and SaaS applications (49 %). No specific CVE or malware is cited; the risk stems from mis‑configuration and governance gaps. Source: Help Net Security