AI has joined the workforce: are you ready to manage it? asks David McNeely, CTO at the platform Delinea.
AI is no longer confined to pilot projects or innovation labs. Across organisations, it has become part of the fabric of work, powering everyday tools, underpinning automated processes and operating behind the scenes in ways many employees may not notice. However, the real shift isnโt just the pace of adoption, but the depth of integration. The technology is increasingly influencing how work is performed, how decisions are made andhow outcomes are delivered.
That momentum has already started bringing tangible gains. Research from a KPMG study showed that among 85 per cent of organisations already implementing AI into their business operations, productivity rose by an average of 35pc when AI agents were introduced into daily workflows. Itโs a sign that teams are using AI to move faster, offload repetitive tasks and surface insights with greater speed and accuracy. Yet as the technology becomes more embedded across enterprises, it also demands more intentional oversight. In particular, questions around identity and security can no longer be an afterthought. Ultimately, itโs the foundations organisations put in place that will determine how securely AI can scale.
A digital workforce
So far, most of the conversation has focused on humans using AI. Assistants and copilots that sit alongside employees have dominated headlines, and for good reason. They are changing how people writeย content,ย developย code, analyse data, and communicateย with others.ย But that is only part of the story.
A quieter shift is underway where AI is no longer just supporting theย workforce butย becomingย a distinctย part of it.ย Weโreย in theย early stagesย of autonomous AI agentsย takingย on tasks independently, accessing applications, pulling data, and making decisions with little or no human involvement. While it is tempting to see themย simplyย as the next evolution of assistants, they are something fundamentally different. These agentsย operateย as independent actors inside the environmentย and should be usingย their own credentials and permissions, which means they behave far more like digital employees than tools.
This shift matters because most organisations are still treating these agents like software, even as they take on responsibilities that look a lot like human work.ย For example, many AI agentsย take theย easy wayย out andย askย the human to reuse their existing credentials and permissions.
Where identity infrastructure is falling short
For decades, identity and access managementย (IAM)ย has been designed around a simple assumption: the primary user is human. Even when organisations extended IAM to cover service accounts and machine identities, those identities were tied to predictable systems performing narrow, repetitive tasks.
Autonomous agentsย disruptย that model. They are adaptive,ย work through tasks in flexible andย non-uniformย ways,ย operateย at machine speed, and may touch far more systems than any single employee ever would.ย Despite this,ย many environments are trying to squeeze them into frameworks that were never built for independent, decision-making digital workers.ย A recentย 2025 data and AI security research reportย shows that only 16% of organisations treat AI as its own identity class with dedicated policies.ย The result is a growing gap between how these agentsย behave and how their identities are governed, creating blind spots that attackersย areย ready to exploit.
That gapย beginsย the moment an organisation tries to onboard an autonomous agent. When a new employee joins, HR systems trigger identityย creation,ย roles are assigned, access is provisioned, and ownership is clear. There is a record of who the person is, what theyย are responsible for, and who manages them.
Autonomous agents arrive with none of that structure. They areย createdย by developers, embedded into workflows, or introduced through new platforms, often without any central visibility or consistent process. There is no HR system for AI, no default manager, and no guarantee that anyone is accountable for what that agent can access or do.
This is where identity governance must evolve. Organisations need to discover these agents, register them, and give them distinct identities tied to clear business ownership. Every autonomous agent should have a clear owner who understands why it exists, what it is meant to do, and which systems it should touch. Without that foundation, it becomes difficult to answer even basic questions about how many agents exist, who owns them, and whether their access is still justified. Given estimations that nearly three in four4 companies plan to deploy agentic AI in the next two years, with just one in five having a mature governance model for these autonomous agents โ according to Deloitte โย these challenges are only set to expand.
Oversight in the age of autonomous work
Onboarding is only the beginning. Once agents are in the environment, the realย difficulty liesย inย governing what they can doย and when.ย Itโsย easy to focus on securing models or code, but governance isย ultimately aboutย managing identities and privileges in line with business intent.
If an agent can act on behalf of the organisation, its identity should be governedย withย the same rigorย as a humanย employee. In many cases, it should be governed even more tightly,ย asย AIย agentsย operateย autonomously,ย continuously, and across trust boundaries at machine speed and scale.ย That makes over-privileged accessย particularlyย dangerous.
AI has fundamentally altered the identity security paradigm. Privileged actions are being increasingly performedย across hybrid ecosystems โโ from on-prem and cloud toย databasesย and SaaS โโย and organizations have lost the centralised point of control over privileged access they once relied on.ย Organisations can no longerย dependย onย standing,ย always-onย access. Theyย must shiftย towardย dynamicย andย ephemeralย models. Short-lived credentials,ย just-in-time access,ย tightly scoped permissions, and continuous monitoring help ensure agents can complete specific tasksย at the momentย of actionย without holding more power than they need. This kind of approach supports innovation while reducing the blast radius if something goes wrong.
Growing offboarding gap
Just as important as onboarding and governance is offboarding. When a human leaves the organisation, access is revoked and accounts are closed. With autonomous agents, there is often no clear lifecycle event that triggers that same cleanup.
An agent mayย be retiredย quietly, replaced by something new, or simply forgotten. If no one isย watching,ย that identity can remain in place with access it no longer needs. An unmanaged agent with lingering privileges becomes an easyย targetย and a hidden entry point into critical systems. Extending discovery and lifecycle processes toย identifyย idle orย orphaned agents, and removing them promptly, is essential to keeping the environment clean and reducing long-term risk.
Machines donโt decide, humans must
Even in a world of autonomous systems, humansย remainย central. Every agent shouldย ultimately beย tied back to a person or team responsible forย itsย behaviour. Sensitive actions should require human approval. Activity should beย clearlyย visible andย auditableย so teams can understand not just what happened, but why.
Autonomy does not remove accountability. If anything, it raises the bar for oversight, because the pace and scale of machine-driven activity leave less room for error. Organisations that build clear ownership and human-in-the-loop controls into their identity programs will be far better positioned to earn trust in how they use AI.
Future-proofing IAM for digital employees
The future of work isnโt simply just humans leveraging AI; itโs a hybrid workforce where people and AI-native tools must collaborate, each contributing to the operation and goals of a business.ย Withย sixty-two percentย of organisations already piloting AI agents, that future is rapidly becoming a reality. Those that thrive will stop seeing autonomous agents as background tools and start treating them as an extension of their team. Additionally, they will develop onboarding processes integrated with HR, implement governance frameworks that match the speed of machine-driven work and enforce offboarding procedures that close all access points.
Itโs time for businesses to rethink identity and access management for a workforce that no longer clocks in, recognising that in an age where autonomous AI is booming, identity and authorisations extend far beyond just your human employees.
