Let this sink in: 91% of companies are using AI agents, but just 10% have a formal governance strategy in place for the technology.
Non-human identities are growing exponentially, and enterprises are struggling to keep up. This gap is particularly troublesome when it comes to managing access. Unlike humans that are more discerning, AI agents have shown that they'll exploit every access point possible to complete a task.
@Cequenceai CTO Shreyans Mehta shared his thoughts with TheSourceCode on how companies can control autonomous agents:
💡The trouble with simply linking user identity to AI agents: "Identity tells you who has access to applications and data, but not what that access should be used for — and for autonomous agents, that distinction is critical. Simply granting agents the same access as the user is no longer acceptable.”
💡Why every access point matters: "The non-deterministic nature of these systems means that if you give an agent broad access 'just in case,' it will eventually find a reason to use it. That's not a bug in the model. That's a configuration decision.”
💡The need for run-time enforcement: "Least privilege for AI agents means defining access by task, not by user role. The agent gets the tools it needs to fulfil its job description, aligning it with a specific job, nothing more.”
💡Having the right documentation: "The governance gap isn't regulatory. The regulations are catching up. The gap is operational: most enterprises deploying agents today can't produce the audit trail regulators will demand.”