The SANS Institute has warned that the race to incorporate AI into enterprise workflows threatens to outpace security efforts, after revealing widespread credential hygiene failings.
The security training and research organization presented the findings as part of its 2026 SANS State of Identity Threats & Defenses Survey, which is based on interviews with over 500 security professionals globally.
It revealed that three-quarters (76%) of organizations report growth in non-human identities (NHIs) such as service accounts, API keys, automation bots and workload identities.
A growing number of these are tied to agentic AI: 74% of organizations are already using AI agents or automations that require credentials, SANS Institute said.
This has led to the number of NHIs operating within organizations quietly doubling or tripling, the report claimed.
Read more on agentic AI risk: #Infosec2025: Concern Grows Over Agentic AI Security Risks
However, agentic AI in particular represents a potentially new security risk few enterprises seem able to manage.
Agents require credentials and access permissions to work autonomously, and are often granted privileged access to interact directly with critical infrastructure and data, SANS Institute said.
However, unlike traditional NHIs which follow fixed logic, agentic AI interprets instructions and can take unpredictable actions – meaning they behave more like an over‑privileged insider, but operating at machine speed. There’s also a risk of hallucination.
Forrester warned last year that an agentic AI deployment will cause a publicly disclosed data breach by the end of 2026, and called for organizations to follow a “minimum viable security” approach to mitigate associated risks.
AI Governance Is Lacking
Most organizations appear to lack a coordinated security-first approach to AI deployment, according to the SANS Institute study.
It found that 92% fail to rotate machine credentials on a 90-day cycle, fearing that this might break service accounts. Most (59%) rotate fewer than half of their NHI credentials quarterly, while some (15%) don’t even know their rotation rate.
A further 5% don’t know if they’re running agentic AI in their organization at all, the report noted.
Another challenge highlighted in the report is that many organizations rely on manual access reviews, ticket‑based provisioning, and periodic rotation, which simply don’t scale when environments have large volumes of NHIs operating at machine speed across DevOps, cloud and SaaS systems.
Richard Greene, certified instructor at SANS Institute, warned that organizations are giving AI decision-making power faster than they’re building governance frameworks to control it.
“We’ve already seen what happens when non‑human identities scale without guardrails, and agentic AI is moving even faster,” he added.
“The early signs of governance are encouraging – nearly four in ten organizations now use human in-the-loop approvals for AI agent actions – but the real challenge is staying ahead of these systems as they shift from pilots to core operations.”
The SANS Institute recommended adoption of secrets vaults, automated rotation and scoped least-privilege access as a bulwark against agentic AI risk, but emphasized the importance of scaling these efforts to match the continued growth of NHIs.
