The invisible workforce – why AI agents need new identity rules
As organisations across the UK deploy AI agents and autonomous workflows, they’re
introducing a new class of digital actor into the enterprise – one that doesn’t authenticate like a
person and doesn’t follow the rules we’ve built for human users. The scale of this shift has
already triggered structural warnings at the highest levels, with the Bank of England launching
targeted investigations into the systemic risks of autonomous AI trading agents operating
without human intervention. These agents execute tasks across systems, access data, and
make decisions with the same privileges as your employees. Yet most organisations lack a
framework to govern them with equivalent rigour.
Scale has already outpaced governance
The scale of this shift is already clear. According to Okta’s latest Businesses at Work report,
service accounts (the non-human identities that power automation and agentic workflows) have
grown by 650 per cent year-on-year. This isn’t gradual growth, it’s an explosion – and
governance hasn’t kept pace. Across organisations globally, 78 per cent cite access and
permissions management as their top non-human identity challenge, and 90 per cent lack a
comprehensive strategy to govern these actors at all.
Enthusiasm versus readiness
Enterprise enthusiasm for agentic AI is high, with Okta’s research showing that 91 per cent of
organisations currently use AI agents. But most organisations remain in early or limited stages
of deployment, reflecting recognition that governance, compliance and identity risks must be
addressed before agents can scale safely. The gap between ambition and readiness is
apparent. Many organisations are adding service accounts and agent credentials without equal
attention to lifecycle management or permission boundaries. This is creating a growing
inventory of non-human identities in the UK, with privileges that are rarely questioned and often
remain active long after their original purpose has expired.
Identity frameworks built for people, not agents
The fundamental problem is that identity governance frameworks were built for people.
Organisations manage user access through role-based models, periodic reviews and
multi-factor authentication. These mechanisms assume human accountability and periodic
interaction. Non-human actors don’t behave this way. An AI agent or service account doesn’t
request access or prompt a review cycle. It simply continues executing with whatever
permissions were granted at the start, often across multiple systems and environments
simultaneously.
Traditional privileged access management tools help, but they were never designed for this
scale or speed. When service account sprawl accelerates beyond an organisation’s ability to
track it (let alone audit it) blind spots emerge. Agents gain access to critical databases and
confidential systems. They escalate permissions through automation workflows. They persist in
production long after the business case that justified them has changed.
Organisational silos amplify the problem
The challenge is exacerbated by how organisations currently approach identity. Many
enterprises separate human and non-human identity governance entirely, treating service
account management as an infrastructure problem rather than a strategic control point. This
creates silos where identity teams may have limited visibility into which agents are active, what
they’re accessing or how their permissions are being used. Security teams lack automated
enforcement and audit teams struggle to trace which autonomous action came from which
agent identity. For UK organisations facing growing regulatory scrutiny, these visibility gaps
carry real compliance risk.
What needs to change?
Governing agents in the era of autonomous AI requires a different approach. It means treating
non-human actors as equal governance subjects to human identities, and establishing
frameworks that provide the same protection and governance rigour for agents as for users.
Ultimately, it comes down to these key questions: Which agents are active? What are they
accessing? Are those permissions appropriate and regularly reviewed? What happens when an
agent’s role or tenure ends?
Organisations that build this capability now will have an advantage. They’ll reduce lateral
movement risk by ensuring agents operate with least privilege. They’ll simplify compliance by
making non-human access transparent and auditable. They’ll be able to onboard and retire
agents safely as agentic workflows evolve. Those that treat non-human identity governance as
a technical afterthought will find themselves managing an expanding, ungoverned network of
digital actors – each a potential vector for data exposure or compliance violation.
What comes next?
The security perimeter is changing. It’s not just about where your people sit anymore. It’s about
all the actors – human and non-human – operating within it. With the UK’s ambitions to become
a global AI superpower, organisations that treat non-human identity as a governance foundation
(not an infrastructure afterthoughts) will be the ones actually ready to scale AI safely.
