The Register — Ungoverned AI agent identities are the new shadow IT
• Category: Security
AI relevance: AI agents require OAuth tokens, API keys, and service credentials to function — creating a sprawling identity surface that traditional IAM/PAM tools were never designed to govern, turning every untracked agent into a potential superuser.
- Cyata CEO Shahar Tal told The Register that agentic identities are "absolutely ungoverned" — companies are discovering thousands of AI agent accounts, tokens, and credentials they didn't know existed when Cyata runs initial discovery scans.
- Enterprise environments show 1 to 17 agents per employee, with R&D and engineering teams adopting fastest. Combined with machine identities already outnumbering humans 82-to-1 (CyberArk data), the identity explosion is real and accelerating.
- Agents use OAuth tokens to access Gmail, OneDrive, GitHub repos, and other corporate data stores — the same pathways human users authenticate through, but with less oversight and broader persistent access.
- Nudge Security CEO Russell Spitler describes a "hyper-consumerized consumption model" where any employee can spin up an agent, delegate access to their own accounts, and create a super-connected bot linked to every MCP server and data source in the company — with zero IT/security visibility.
- Block discovered during internal red-teaming that its AI agent (Goose) could be manipulated via prompt injection to deploy info-stealing malware on an employee laptop — a concrete example of ungoverned agent access enabling endpoint compromise.
- Teleport CEO Ev Kontsevoy notes agents are non-deterministic and act autonomously, breaking the human-or-machine binary that legacy IAM/PAM is built on. They access MCP servers, APIs, databases, LLMs, and orchestration systems around the clock, creating access paths that are unpredictable by design.
- "Shadow AI" is now the dominant pattern: personal ChatGPT, Cursor, and Claude Code accounts used for work without IT knowledge, creating "blast-radius issues" where a single compromised agent can drain tokens from every connected MCP server.
- Gartner projects 40% of enterprise apps will integrate task-specific AI agents by end of 2026, up from under 5% in 2025 — the identity governance gap will widen dramatically if not addressed now.
Why it matters
- This is the first major reporting that quantifies the agent identity sprawl problem with real enterprise numbers (1–17 agents/employee, jaw-dropping discovery scans). It moves the conversation from theoretical to operational.
- Traditional IAM/PAM cannot handle non-deterministic, context-switching entities that create new access paths dynamically. The tooling gap is structural, not just a configuration issue.
- The combination of ungoverned identities + prompt-injection vulnerabilities means an attacker who compromises one agent can chain through OAuth tokens across multiple corporate services — the lateral-movement equivalent of credential stuffing, but at agent speed.
What to do
- Discovery first: run an agentic identity scan — know how many agents exist, what they connect to, and who created them. Associate every agent with its human owner.
- Scope OAuth grants: audit and restrict OAuth scopes granted to AI agents; revoke broad-access tokens and replace with least-privilege scoped credentials.
- Treat agents as a new identity class: they are not humans and not traditional service accounts. Build policy and monitoring for entities that are dynamic, autonomous, and non-deterministic.
- Implement posture guardrails: set hard limits on what agents can access, monitor for configuration drift, and alert on agents connecting to new MCP servers or data sources.
- Kill shadow AI agents: establish a sanctioned agent provisioning process; detect and decommission personal-account agents operating on corporate data.