Only 18% of security leaders trust their identity and access management systems to handle AI agents. The Cloud Security Alliance published that number in February 2026, alongside Strata Identity, after surveying 285 IT and security professionals. The other 82% range from “moderate confidence” (35%) to “no confidence at all” (18%). That gap between agent deployment speed and IAM readiness is what CSA calls the “Time-to-Trust” phase: organizations building the visibility, auditability, and control they need before they can safely grant agents real autonomy.
This matters because the agents are already here. 58% of respondents have between 1 and 100 agents deployed today, and 70% expect to manage dozens to hundreds within twelve months. The identity infrastructure is not keeping pace.
What the Survey Found: Five Numbers That Should Worry You
The full CSA report, “Securing Autonomous AI Agents,” runs 30+ pages. Here are the findings that carry the most weight for security teams making budget and architecture decisions right now.
84% Can’t Pass an Agent Compliance Audit
Asked whether their organization could pass a compliance audit focused specifically on agent behavior and access controls, 84% said no. That is not a hypothetical concern. The EU AI Act’s Article 49 transparency requirements are already in effect for high-risk systems, and NIS2 mandates traceable access for critical infrastructure. If your agents touch financial data, personal records, or operational systems in the EU, auditors will eventually ask who authorized what, and most organizations cannot answer that question today.
44% Still Use Static API Keys for Agent Authentication
The authentication methods organizations use for agents read like a 2015 security playbook. 44% rely on static API keys. 43% use username and password combinations. 35% depend on shared service accounts. These are the exact credential types that attackers target first because they never expire, rarely rotate, and grant broad access.
Hillary Baron, AVP of Research at CSA, put it directly: “Agents inherit user permissions but access all available data indiscriminately, unlike humans.” A static API key gives an agent permanent, unscoped access. When that key leaks (and CrowdStrike reports 82% of detections are now malware-free, meaning attackers move through authorized pathways), the agent becomes an open door.
Only 21% Have a Real-Time Agent Registry
You cannot secure what you cannot see. Only 21% of organizations maintain a real-time registry or inventory of active agents. Another 32% rely on non-real-time records (spreadsheets, quarterly audits). 32% plan to build one within twelve months. And 8% have nothing at all.
This means that in nearly 80% of enterprises, nobody knows exactly how many agents are running, what they have access to, or who authorized them. The CSA’s follow-up analysis on the visibility gap calls this the single biggest obstacle to agent governance.
Only 28% Can Trace Agent Actions Back to a Human
Accountability requires traceability. When an agent executes an action, someone needs to be responsible. Only 28% of respondents can reliably trace agent actions to a human sponsor or originating system across all environments. 46% can do it in some environments. 9% cannot do it at all.
The ownership itself is fragmented: 39% say security teams oversee agent identity, 32% say IT, and 13% say an emerging AI security function. When three different teams each think someone else owns the problem, the problem doesn’t get solved.
Only 23% Have a Formal Governance Strategy
Despite all the risk data, only 23% have a formal, enterprise-wide strategy for agent identity management. 37% rely on informal practices. The rest are somewhere between “planning” and “hoping it works out.”
Eric Olden, CEO of Strata Identity, frames the core issue: “Securing AI agents isn’t just about tweaking existing IAM processes. It requires rethinking identity architecture altogether. Static credentials, manual provisioning, and siloed policies can’t keep pace with the speed and autonomy of agentic systems.”
Why the Confidence Gap Exists
The CSA data tells a story about a structural mismatch. Organizations built their IAM systems for human users and service accounts. Agents are neither. They are ephemeral (spinning up and down in minutes), delegated (acting on behalf of other agents or humans), autonomous (making decisions about what to access at runtime), and multi-environment (moving across cloud providers, on-premises systems, and SaaS platforms in a single task).
Traditional IAM handles none of this well. OAuth tokens were designed for user-initiated sessions. Service accounts assume a fixed scope of access. Role-based access control assumes a stable set of roles. Agents break all three assumptions simultaneously.
The survey confirms this infrastructure mismatch in the platform data: 66% of respondents run agents across public clouds, 38% in hybrid multi-environment setups, and 37% on-premises. An agent that starts a task in Azure, calls a tool in AWS, and writes results to an on-premises database needs identity that travels with it. Most IAM systems authenticate at the front door and assume everything inside is trusted.
What Security Teams Actually Worry About
The top five concerns from the survey, ranked by percentage of respondents:
- Sensitive data exposure or leakage (55%): Agents with broad access copying data to unauthorized locations
- Unauthorized or unintended actions (52%): Agents exceeding their intended scope
- Credential misuse (45%): Stolen or leaked agent credentials used by attackers
- Lack of identity standards (45%): No agreed-upon protocols for agent authentication
- Inability to discover and register agents (40%): Shadow agents operating without oversight
These concerns map directly to the capability gaps. Organizations worry about data leakage because they use static keys. They worry about unauthorized actions because they lack real-time monitoring. They worry about credential misuse because they use shared service accounts. The fears are rational. The responses have been slow.
What Closes the Gap: The CSA’s Recommendations
CSA and Strata Identity, supplemented by a companion paper on agentic IAM, outline a shift from static identity to dynamic, context-aware agent governance. The core recommendations:
Treat Agents as First-Class Identities
Stop shoehorning agents into human user accounts or generic service accounts. Each agent needs its own identity with a clear human sponsor, scoped permissions, and an audit trail. The CSA recommends exploring decentralized identifiers (DIDs) and verifiable credentials (VCs) for agent identity, since traditional OAuth 2.1, SAML, and OIDC were not designed for autonomous, delegated systems.
Replace Static Credentials with Ephemeral Access
Move from permanent API keys to just-in-time, short-lived tokens scoped to specific tasks. When an agent finishes a task, its credentials should expire automatically. Mark Callahan of Strata Identity advocates for “zero standing permissions” for AI agents: no persistent access, no lingering credentials, no always-on service accounts.
Implement Runtime Authorization
One-time authentication at login is not enough. Agents need continuous authorization that evaluates context at every action: what data is being accessed, what the agent’s current task requires, whether the request pattern is anomalous. This is closer to how zero trust principles apply to agentic systems.
Build Agent Registries Now
The 21% who have real-time registries are the 21% who can actually govern their agents. Everyone else is operating blind. A registry should track every agent’s identity, human sponsor, permissions, active sessions, and last action. This is not optional anymore; it is the foundation that every other governance capability depends on.
Invest in Human-in-the-Loop Oversight
68% of respondents rate human oversight as “essential” or “very important.” Specifically, 69% require human validation before sensitive data access, 68% before system changes like code deployments, and 62% before financial transactions. These are reasonable guardrails for the current maturity level. The goal is not permanent human approval for every action, but graduated autonomy as trust is earned through audit data.
Where the Money Is Going
Organizations are responding with budgets, even if strategy lags behind. 40% are increasing their overall identity and security budgets specifically for AI agent risks. 34% have created dedicated budget lines for agent governance. 22% are reallocating funds from other security areas.
The budget signals suggest that enterprises recognize the problem. The CSA survey captures a moment where awareness has arrived but execution has not. The organizations that close the gap fastest will be those that treat agent identity as a distinct architectural challenge rather than an extension of existing IAM.
That means dedicated teams (not fragmented ownership across security, IT, and AI functions), purpose-built tooling (not retrofitted human IAM systems), and continuous monitoring (not quarterly spreadsheet audits). The data says 82% are not there yet. The question is who moves first.
Frequently Asked Questions
What did the CSA survey find about IAM readiness for AI agents?
The Cloud Security Alliance surveyed 285 IT and security professionals in 2026 and found that only 18% are highly confident their IAM systems can manage AI agent identities. 84% doubt they could pass a compliance audit focused on agent behavior, and only 21% maintain a real-time registry of active agents.
Why is traditional IAM insufficient for AI agents?
Traditional IAM was built for human users and static service accounts. AI agents are ephemeral, delegated, autonomous, and operate across multiple environments. They break assumptions built into OAuth, RBAC, and service account models because they make dynamic access decisions at runtime rather than following fixed permission sets.
What authentication methods are enterprises using for AI agents?
According to the CSA survey, 44% of organizations use static API keys, 43% use username/password combinations, and 35% rely on shared service accounts for agent authentication. These legacy methods lack rotation, scoping, and expiration features needed for autonomous systems.
What does the CSA recommend for securing AI agent identities?
The CSA recommends treating agents as first-class identities with individual credentials and human sponsors, replacing static API keys with ephemeral just-in-time tokens, implementing continuous runtime authorization instead of one-time login checks, building real-time agent registries, and adopting decentralized identifiers for agent identity.
How many enterprises have a formal strategy for AI agent identity management?
Only 23% of enterprises have a formal, enterprise-wide strategy for AI agent identity management. 37% rely on informal practices. The ownership is also fragmented: 39% assign responsibility to security teams, 32% to IT departments, and 13% to emerging AI security functions.