Agentic AI identity: A 6-stage maturity model for non-human identities A new six-stage maturity model for non-human identities (NHIs) addresses the identity governance gap exposed by agentic AI, where LLM-based agents with excessive privileges have caused production outages. The model, informed by Gartner's 2026 cybersecurity trends and OWASP's agentic AI threat taxonomy, mandates six minimum requirements before deployment, including refusing to average human and non-human identity governance. CISA's Five Eyes advisory and NIST's AI Agent Standards Initiative converge on privilege risk as the foundational concern. In a client engagement last year, an LLM-based deployment agent with standing access to a production Kubernetes cluster triggered a four-hour outage through a malformed configuration push. In the IAM, the agent appeared as a service account with a long-lived API key, no MFA, no scoped revocation path. When the incident review team asked which human had authorized the agent’s last action, no one in the room could answer. I have watched a version of that question go unanswered in three engagements over the past year, in three different sectors, with three different vendor stacks. Every CISO deck right now contains a slide about agentic AI. Far fewer contain a slide about who, in identity terms, these agents actually are. That gap is the more dangerous one. The first slide is a strategy question. The second is a control question — and it is the one your auditors, your incident responders and your board will eventually ask. Gartner’s Top Cybersecurity Trends 2026 https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026 , published by Director Analyst Alex Michaels, names both halves of that gap — agentic AI oversight Trend 1 and IAM adaptation to AI agents Trend 4 — as the forces redefining cyber risk this year. This piece sets out a six-stage maturity model for non-human and agent-based identities NHIs , the six minimum requirements that have to be met before any production deployment is defensible and the single most consequential reporting decision in the access-and-identity dimension: refusing the arithmetic mean across human and non-human identity governance. A conventional service account performs a narrow, predictable task: it fetches a backup, runs a scheduled report, signs a build artifact. Its scope is fixed at design time. The controls around it — rotation, vaulting, audit — are well-understood. An agent-based system does not work this way. It receives an intent, decomposes it into steps, calls whichever tools or APIs it judges appropriate and produces an outcome that was not specified action-by-action in advance. KuppingerCole’s 2026 Leadership Compass on Non-Human Identity Management notes that NHIs now outnumber human users in many enterprise environments, in some cases by a factor of 25 to 50. The same compass, authored under Principal Analyst Martin Kuppinger, observes that the tooling built around joiner-mover-leaver lifecycles was never designed to discover, attribute or govern these identities at that scale. The OWASP GenAI Security Project https://genai.owasp.org/ has catalogued the resulting attack surface in two iterations — the Agentic AI Threats & Mitigations taxonomy in February 2025 and the more operational OWASP Top 10 for Agentic Applications later that year, categories ASI01 through ASI10. The notable finding is that three of the four highest-rated risks are identity questions: tool misuse and exploitation ASI02 , identity and privilege abuse including delegated and inherited trust ASI03 and rogue agents that act outside their intended behavior ASI10 . A fourth, agentic supply chain vulnerabilities ASI04 , is identity adjacent. CISA’s first joint Five Eyes advisory on the topic — Careful Adoption of Agentic AI Services https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services , published 1 May 2026 with NSA, the Australian Signals Directorate’s ACSC, the Canadian Centre for Cyber Security, NCSC-NZ and NCSC-UK — converges on the same conclusion. Privilege risk is named the foundational concern. The Center for Internet Security followed with its own report on prompt injection as the top compounding risk in April 2026, and NIST’s AI Agent Standards Initiative, launched February 2026, is now drafting the formal standards that will sit alongside this guidance. In other words, the dominant risk class introduced by agentic AI is not novel cryptography or some new exploit primitive. It is the unbounded scope of an identity that the existing IAM model was never asked to govern. Before any maturity discussion is useful, there is a floor. The following six requirements mark the line below which an agent-based system is not responsibly deployable in an enterprise environment. They are derived from incidents and audit findings I have collected across pharma, energy, finance and manufacturing engagements, and they are technically feasible on modern IAM and PAM platforms — though rarely on the IAM stacks most enterprises actually have today. An organization that cannot meet all six does not have an agent governance problem. It has a deployment readiness problem. The model below assumes these are in place by Stage 3; anything earlier is the discovery phase. Most enterprise maturity scales measure the access-and-identity dimension against the yardstick of human identity: is there central IAM, is MFA enforced for privileged access, does the joiner-mover-leaver lifecycle work? These remain the right questions, but they stop short. An organization that scores Stage 4 on human identity governance and Stage 1 on agent governance does not have a mature identity practice. It has a well-lit half and a blind half. The following six-stage scale is cumulative — each stage assumes everything below it. The threshold of responsibility sits at Stage 3. In my view, production deployment of agent-based systems below Stage 3 is not defensible to a board, a regulator or an incident review. Stage | Label | Criterion for non-human / agent-based identities | Audit survivability | 0 | Unrecognized | Non-human identities exist but are not in the inventory. Shared service accounts, long-lived keys, no audit trail. | No — agent activity is invisible to forensics. | 1 | Visible | Identities are inventoried and assigned to an asset class, but not yet under independent governance. | No — no per-agent accountability. | 2 | Unique | Each identity is uniquely attributable no shared accounts ; initial lifecycle rules exist but are applied inconsistently. | Partial — who acted is answerable; on whose authority is not. | 3 | Controlled | The six minimum requirements are fully met: on-behalf-of model, short-lived credentials, SIEM audit trail, real-time revocation. | Yes — minimum defensible posture. | 4 | Bounded and monitored | The agent’s action is bounded; every action is reviewable and — where the process allows — reversible. Agent activity metrics are evaluated, not just collected. | Yes — containment is provable. | 5 | Self-regulating | Anomalies in agent behavior are detected automatically and trigger risk-based pause or revocation. Each agent has a named accountable owner. | Yes — state of the art. | Stages 4 and 5 deserve unpacking because they are where the model departs from access control and begins to govern behavior. Bounded means the agent’s mandate has explicit limits it cannot act outside of. Reviewable means every action is logged with intent, execution and result. Reversible means an action can be rolled back before it produces irreversible effect — a hard constraint in any environment where actions touch physical processes, financial transactions or external commitments. Self-regulating means the system detects anomalies in agent behavior and intervenes before a human reasonably could. One misconception consistently overrates organizations’ agent governance. The presence of a human in the decision loop is widely treated as sufficient oversight. It is not. If a human is asked to approve hundreds or thousands of agent actions without the time to inspect each one, what exists is not control but an approval automation with a human signature on it. Human review does not scale to the action volume of an autonomous system. A mature governance posture acknowledges this. It moves control from per-action approval to structural constraint: bound what the agent can do at all, monitor its behavior for anomaly and ensure that oversight is loyal to the principal, not to the executing system. An organization that rests its agent governance entirely on human per-action approvals does not reach Stage 4 of the model, regardless of how thoroughly those approvals are documented. Stage 4 requires structural bounding, not scaling handwork. Maturity assessment risks drifting into subjective self-rating. The OWASP categories cited above can be operationalized into audit questions that anchor each stage in checkable evidence: OWASP attack surface Top 10 for agentic applications | Audit question for maturity assessment | Met from stage | | ASI03 — Identity and privilege abuse | Does each agent have a unique identity, with no shared accounts? | 2 | | ASI02 — Tool misuse and exploitation | Are the interfaces an agent is permitted to use explicitly bounded? | 4 | | ASI01 — Goal hijack | Is each agent’s mandate clearly bounded and protected against manipulation? | 4 | | ASI04 — Agentic supply chain vulnerability | Is the agent’s software composition documented via SBOM? | 4 | | ASI10 — Rogue agent | Are anomalies in agent behavior detected and routed to pause or revoke? | 5 | The column on the right matters. A common rating error is to grade an organization high because it has handled the easy requirements — unique identities, basic logging — without addressing the demanding ones. Tying the upper stages to the difficult criteria prevents that inflation. The single most consequential reporting decision is to refuse the arithmetic mean. The access-and-identity dimension on a maturity radar should not collapse a Stage 4 human-identity practice and a Stage 1 agent-identity practice into a reassuring middle number. Both ratings belong on the same axis, but they belong reported separately. A representative finding from current engagements: human identity governance at Stage 4 — central IAM, MFA, lifecycle managed — and agent governance at Stage 1, with agents recently inventoried but still authenticating via long-lived API keys against shared service accounts, without their own audit trail. The combined average would read Stage 2 to 3 and look acceptable. The separate reporting reveals that the unmanaged half is precisely the identity class with the largest and least predictable scope of action. That visibility is what triggers the prioritized roadmap action; an aggregated score buries it. If I run only one diagnostic in a new engagement, this is the one. For every production agent-based system in the environment, ask: who, by name, is accountable if this agent causes harm? An agent without a named accountable owner is the non-human counterpart of the workstation everyone uses, and no one owns. Stage 5 of the model formally requires a named accountable owner per deployed agent. The reason is operational, not bureaucratic: the question ‘who is responsible for this system?’ must be answered before the incident, not during it. In practice, that accountability binds best to the role that already carries the operational risk of the affected process — typically the asset owner in the business function. Anchoring it there prevents agent-based systems from drifting into the organizational gray zone between IT, security and the business, which is exactly where unattributed action originates. The maturity model in this article is a starting structure. The honest first step in adopting it is not to score well. It is to score truthfully, report human and non-human identity governance separately and treat the gap between them as the first item on the security roadmap for the agentic-AI period — before the next agent goes to production. This article is published as part of the Foundry Expert Contributor Network. Want to join? https://www.csoonline.com/expert-contributor-network/