Unknown AI Agents Are Becoming An Identity-Management Problem
The useful AI-agent security question is no longer only what an agent says.
It is what the agent is.
Is it inventoried? Who owns it? What identity does it use? What systems can it touch? What credentials does it retain? What happens when the workflow is abandoned, the employee leaves, the vendor changes, or the experiment becomes production by accident?
That is the control gap Cloud Security Alliance is pointing at.
In April 2026, CSA published survey findings on enterprise AI agents. The headline metrics are uncomfortable in the precise way security teams hate: 82% of enterprises have unknown AI agents in their environment, 65% experienced AI-agent-related incidents in the previous 12 months, and only 21% have formal decommissioning processes.
That is not a prompt-injection story. It is an identity story.
An unknown agent with credentials is not automation. It is an unmanaged identity with initiative.
The Problem: Agents Do Not Retire Cleanly
Enterprise software already has a lifecycle problem.
Service accounts linger. API keys outlive projects. Integrations are built for pilots and then forgotten. SaaS permissions accrete. Departed employees leave behind automations that nobody wants to touch because they might still be doing something useful.
AI agents make that mess more active.
An agent is not just a scheduled script. It can reason over instructions, call tools, retrieve data, invoke APIs, write records, send messages and adapt the next action to previous output. The more useful the agent becomes, the more permissions it tends to accumulate. The more permissions it accumulates, the less acceptable it is to treat it like an experiment.
CSA’s April 2026 release says unknown agents commonly emerge in internal automation or scripting environments, LLM platforms including custom tools and plugins, SaaS tools with built-in automation, and developer-created workflows. That spread matters. Agents are not landing in one clean platform where security can flip one switch.
They are appearing wherever work gets automated.
The Analysis: Permissions Are The New Prompt Boundary
The first generation of AI-agent security coverage focused on prompts, instructions and tool misuse.
That remains valid. A manipulated agent can leak data or take the wrong action. But prompt controls do not solve the identity layer. If an agent has excessive access, the cleanest prompt in the world still leaves a large blast radius.
CSA’s release says incidents are already producing business impact: data exposure, operational disruption and financial loss. It also says organizations are investing in risk management, monitoring and permission control. That is the right direction.
The control model should look less like chatbot moderation and more like identity governance.
Every agent needs an owner. Every agent needs an inventory record. Every agent needs scoped permissions, credential rotation, logging, approval rules for high-risk actions and a retirement path. If an agent can create tickets, move files, access customer data or trigger a payment workflow, it needs the same seriousness as any other non-human identity.
The difference is intent.
A service account usually executes a narrow function. An agent can choose among actions. That makes least privilege harder. The agent may need enough context to be useful but not enough power to become a shadow administrator. The permission question becomes purpose-specific: what is this agent meant to do, and which capabilities are necessary for that purpose?
The Gap Is Lifecycle Management
The decommissioning number is the sharpest one.
Only 21% of respondents having formal AI-agent decommissioning processes means most organizations do not have a reliable exit door. That is where risk compounds. An agent may be forgotten but still authorized. Its credentials may remain valid. Its logs may be ignored. Its owner may move teams. Its plugin may connect to a service whose data has become more sensitive than when the agent was created.
This is how automation becomes debt.
CSA calls out the same problem in lifecycle terms: agents can linger after their intended use, retaining permissions and credentials that create long-term exposure. That phrasing matters because it changes the remediation path. The fix is not another acceptable-use policy. It is lifecycle enforcement.
Create, approve, scope, monitor, review, rotate, suspend, retire.
That should be boring. Boring is the goal.
The harder part is discovery. Unknown agents cannot be reviewed. They cannot be decommissioned. They cannot be brought into access governance. They sit outside the map until an incident, audit or bill makes them visible.
The Implications: Agent Security Belongs With Identity Teams
AI-agent programs should not sit only with innovation teams.
They need identity and access management, security operations, data governance, procurement and application owners in the loop. Otherwise the organization gets a familiar pattern: the business gets useful automation, security gets late visibility, and identity teams inherit the cleanup.
The cleanup will not be small.
Enterprises need discovery across LLM platforms, SaaS automation, internal scripts, developer tools and workflow products. They need to classify agents by purpose, owner, data access and action authority. They need to know which agents can act autonomously, which require human review, and which should only suggest actions. They need logs that show not only what tool was called, but why the agent called it.
That last part will matter in incidents. If a human account misbehaves, investigators ask who acted, when, from where and with what access. If an AI agent misbehaves, they will need to ask what instruction, retrieved context, tool output and permission path led to the action.
That is identity plus provenance.
The Takeaway
AI agents are becoming a new class of non-human identity.
Treating them as chatbots is too small. Treating them as ordinary service accounts is too static. They need inventory, ownership, least privilege, monitoring and decommissioning, but they also need purpose-aware controls because they can adapt actions inside a workflow.
The CSA numbers are a warning because they describe the exact order in which security failures usually arrive: unknown assets first, real incidents second, lifecycle controls last.
That order is backwards.
The agent era will not be secured by better prompt disclaimers. It will be secured when every useful agent has an identity record, a permission boundary and an off switch that someone actually uses.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.