Overview
- Enterprises rapidly deployed internal AI agents that often inherit creator‑level permissions and keep active credentials after their human owners change roles or leave.
- Traditional identity and security tools fail to map agents to accountable humans or to judge agent intent because they treat agents as static software rather than first‑class identities.
- Vendor and research data report widespread dormant agents with live access, with Token Security finding roughly two‑thirds of agentic chatbots never used after creation yet still authorized.
- Security guidance is converging on five fixes: continuous discovery across SaaS, endpoints and cloud; explicit owner mapping; intent and context enrichment; short‑lived, scoped credentials; and automated revocation and enforcement.
- Named human oversight, clearer sponsor liability and stepped‑up regulatory attention in the UK and EU make governed enablement and automated controls urgent to avoid both blind spots and underground AI use.