There are AI agents operating in your environment right now. Some you deployed. Some your employees connected to workflows on their own. Some arrived with your customers, acting on their behalf through platforms your team built for humans.
Most of these agents are not governed. The agentic AI security challenge starts here: the infrastructure responsible for catching that kind of gap was designed for a world where every actor had a face, a password, and a predictable pattern of behavior.
Our data shows 86% of practitioners already observe AI agents acting on behalf of consumers in commercial settings, with adoption strongest in financial services (85%) and retail (86%). Those agents are making purchases, updating credentials, handling support interactions, and authenticating into systems. This isn’t a niche trend practitioners are watching from the sideline. When we asked decision-makers which identity and fraud innovation would have the greatest impact over the next two years, 56% pointed to agentic AI, ahead of reusable credentials, blockchain-based identity, and every other category we tested.
This is the agentic AI security problem. Not a theoretical one. A structural one, already producing real exposure.
The agent population you can’t count
When we ask organizations how many agents are actively operating in their environments, the honest answer is usually some version of “we’re not sure.” That’s not negligence. It’s a reflection of how quickly deployment has outpaced visibility.
Every time an employee connects an AI copilot to an internal workflow, that agent inherits some level of access. Every time a consumer uses an AI assistant to interact with your platform, that agent runs on infrastructure that wasn’t designed for it. The result is a fast-growing population of non-human actors that nobody is tracking comprehensively.
The ratio makes this tangible: 82 machine identities currently exist for every one human identity in enterprise environments. And 79% of organizations expect that ratio to grow by up to 150% in the next year. Unlike a static API key or a service account with a fixed scope, an AI agent adapts. It makes decisions based on new information, operates continuously, and interacts across systems in ways that weren’t anticipated when access policies were written.
Will Charnley, Liminal’s COO and Managing Director, framed it this way during a recent panel: “We need to determine human, non-human good, non-human bad. A lot of the current technologies aren’t built to handle that.”
What the AI agent governance gap looks like in practice
The visibility problem is one-half. The preparedness problem is the other.
Our data shows 94% of organizations already govern non-human accounts in their environments. But only 10% have a mature strategy for managing those identities. 20% describe themselves as outright unprepared. 42% say they lack a cohesive security strategy for the category entirely.
That’s not an edge case. That’s the majority of enterprises in a reactive posture while AI agents quietly accumulate permissions, credentials, and operational scope across their systems.
The compliance exposure is concrete: 60% of practitioners cite compliance risk from unauthorized agentic access. And in most cases, they’re not catching problems early through automated monitoring. They’re catching them because something already went wrong, or because they watched a peer organization deal with the consequences and recognized the same conditions internally.
There’s an organizational dimension too. When an AI agent causes a compliance incident, who owns the response? IT? Fraud? Cybersecurity? Legal? In most organizations, the honest answer is that nobody is certain. The response gets siloed, the structural issue that created the exposure persists, and the same conditions keep producing new incidents.
Agentic AI fraud is already changing the threat landscape
The ai AI agent governance gap has a cost that goes well beyond compliance.
Our data shows 19% of account takeover attempts now involve agent-driven tactics, nearly matching credential stuffing (20%) as the most common vector. Fraudsters are deploying AI agents to probe defenses, test system responses, and scale operations in ways that bypass the detection logic most organizations put in place years ago. Bot detection, CAPTCHA, behavioral pattern matching: all designed to tell humans apart from machines. None designed to tell a legitimate AI agent apart from a malicious one.
Miguel Navarro, a digital identity and fraud leader who joined our panel discussion, described the distribution model for these attacks. A fraudster builds an agent that succeeds against a specific organization’s defenses. Once it’s validated, the toolkit gets packaged and sold. “That’s when the distribution network goes into a flash sale,” he said. The targeted organization doesn’t know it’s been studied until the attacks arrive in volume.
The trajectory is steep. AI agents acting as legitimate users are already blinding core fraud detection systems, with fraud losses projected to increase by up to 500% as agent-driven automation scales. When fraud detection can’t distinguish between a customer’s legitimate AI assistant and an attacker’s weaponized agent, misclassification compounds at scale. Organizations in this position aren’t just behind on governance. They’re running a fraud-prevention program that treats a growing share of malicious traffic as normal behavior.
Why machine identity management doesn’t cover this
Organizations that invested in machine identity management have a head start on the vocabulary. Our data shows 86% of practitioners already manage machine identities, and oversight is extensive. But the tools were built for a different problem.
Traditional machine identities are bounded. An API key does one thing. A service account operates within a defined domain. The governance model assumes a structured, predictable scope: set permissions, monitor access, and rotate credentials on a schedule.
AI agents break those assumptions. A capable agent can open accounts, initiate communications, request approvals, escalate its own permissions, and interact across platforms in sequences that weren’t anticipated when governance policies were written. The non-human identity challenge is real and ongoing, but the agentic layer is structurally different. It requires governance for entities with emergent, multi-step behavior, not fixed-function credentials with a known blast radius.
This is also why converging workforce and consumer agent governance into one architecture is so difficult. Workforce identity systems were built for humans with predictable access patterns. Consumer identity systems were built to verify individuals at a point in time. Neither was designed for scenarios where an AI agent holds delegated authority from a human, operates continuously, and crosses channel boundaries without anyone reviewing its access in real time.
What agentic AI security actually requires
Agentic AI security isn’t a product category yet. It’s closer to an architectural requirement that spans identity, fraud, and cybersecurity simultaneously.
At the foundation, it requires knowing what agents are operating in your environment. Not by category or approximation, but specifically: which agent, with what permissions, acting on whose behalf, doing what, and when. That’s the baseline. Most organizations don’t have it.
Beyond visibility, it requires authenticating and authorizing non-human actors in real time. Not by blocking all agentic traffic (which kills the productivity gains agents are supposed to deliver) and not by allowing everything through (which eliminates security). The signals that distinguish a legitimate AI agent from a malicious one are fundamentally different from the signals that distinguish a human from a bot. Building that detection layer is a harder problem than retrofitting existing controls.
It also requires audit trails that compliance teams and regulators can actually use. When an AI agent takes an action that affects a consumer account, that action needs to be attributable, reviewable, and explainable. That’s a new capability requirement landing across identity, fraud, and cybersecurity functions at once.
None of this gets solved by extending current machine identity management and hoping the coverage holds.
Getting ahead of it
The organizations making real progress share a few things in common. They’ve assigned explicit ownership of agentic AI governance instead of letting it sit in the gap between existing teams. They’re treating agent identity as a first-class problem, not a line item on the IAM roadmap. And they’re building the signal infrastructure to distinguish good agents from bad ones, because they know the window between a fraudster finding an exploit and scaling it is measured in hours, not quarters.
Navarro put it directly: “You can’t learn to ride a bike by reading about it. You have to get on, take a couple of falls, and go.” Organizations waiting for the governance landscape to fully mature before engaging will find themselves behind a threat environment that is not waiting with them.
The research and practitioner perspectives that informed this post came from our live panel on governing AI agents across workforce and consumer ecosystems. The full conversation covers specific examples of what’s working, what’s failing, and how identity architectures are evolving to handle delegated agent access.
