The Identity and Access Gaps in the Age of Autonomous AI

AI agents are operating across production systems, invoking tools, accessing data, and acting autonomously – often under borrowed identities, inherited permissions, and credentials nobody is rotating.

This Cloud Security Alliance survey report, commissioned by Aembit, examines how enterprises are actually managing AI agent identity and access today.

Inside, you’ll find:

• 68% of organizations cannot clearly distinguish between actions taken by AI agents and those taken by humans.
• Most agents don’t operate under their own identity – they inherit access originally scoped for users or shared accounts.
• Fragmented ownership and accountability mean security, engineering, and IT are often managing the same problem with different assumptions – and different answers for who’s responsible when something goes wrong.
• Governance mechanisms, human approval workflows, and kill-switch revocation are being used as stopgaps where identity-layer controls don’t yet exist.
• Organizations cite clear identity separation and short-lived, per-task access among the capabilities most needed to scale safely

Who this report is for

Security, IAM, platform, and engineering leaders and practitioners responsible for extending identity controls to autonomous systems – and the teams making decisions about how AI agents authenticate, access resources, and get secured at runtime.