Agentic AI: The New Frontier of Identity Risk

In October 2025, the World Economic Forum published an analysis of what they called "agentic AI's new frontier of cybersecurity risk": the explosion of non-human identities created by autonomous AI systems.

The core concern: agentic AI systems can autonomously spawn new NHIs (API keys, tokens, service accounts) in security blind spots, often receiving broad, persistent access to sensitive systems without the safeguards applied to human users. These AI agents read, decide, and act on real systems, and each action requires identity credentials.

The numbers are striking. The volume of non-human and agentic identities is projected to exceed 45 billion globally. Gartner predicts that 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024. Each of these AI-enabled applications will generate new non-human identities that need governance.

Yet only 10% of executives surveyed by Okta report having a well-developed strategy for managing non-human and agentic identities.

This is the next wave of identity architecture challenges. Traditional IAM was designed for humans: people who log in, perform tasks, and log out. It was extended to service accounts as an afterthought. It is now being asked to govern autonomous AI agents that create their own credentials, make their own access decisions, and operate continuously without human oversight.

Identity architecture must evolve to address this reality. The question is not whether agentic AI will need identity governance. It is whether organizations will design that governance proactively or discover its absence during an incident.