2026 State of Passwordless Identity Assurance Report |
Bojan Simic, CEO, HYPR
11 Min. Read | June 15, 2026
I've spent the last several months in conversations with CISOs and CIOs at some of the largest enterprises in the world. The specific details vary. The underlying situation almost never does.
The mandate to scale autonomous AI is coming from the top — from CEOs, from boards, from every business unit leader with a productivity target attached to their next review. CIOs and CISOs are now furiously working to determine how to establish an adequate control infrastructure to do so without the risk outpacing the reward.
We know that the agentic workforce needs to be treated as a genuinely new class of digital worker. AI agents operate differently from every identity type organizations have managed before. They act autonomously, invoke tools, generate decisions, and produce real-world consequences — all at machine speed, without a human in the loop. The IAM frameworks, policy engines, and audit practices built for people and applications were never designed for this.
The result is a widening gap between AI ambition and security confidence. The business wants more agents, faster, touching more systems. The CIO and CISO want to say yes — but they have no reliable way to answer the foundational question that sits underneath that yes: do we actually know what our agents are doing, and can we stop them if something goes wrong?
It's a question we've been asking ourselves at HYPR too. We're deploying agents internally across our own workflows, and we've built our approach to governing them on the same framework we're bringing to market. What we've learned firsthand is that the control problem isn't theoretical — it surfaces quickly, in practical ways, the moment agents start touching real systems. The architecture we're describing here is the one we're running on.
The Trek to an Agentic Workforce
The trek toward mature AI agent governance follows a pattern. Organizations don't jump straight to assurance — they climb through four distinct peaks, and each one teaches a lesson the previous one didn't reveal. The hard part is that you can only see the next peak from the top of the current one.
Peak 1: Observability. Organizations begin by trying to understand what agents exist. Endpoint detection, network monitoring, and API traffic logging give security teams their first real inventory of AI tool usage across the enterprise. What you learn at the top: seeing agent traffic doesn't mean you can do anything about it.
Peak 2: Restriction. With a map in hand, the instinct is to block. Unsanctioned APIs get cut off. Traffic gets routed through corporate gateways. Shadow AI gets addressed — officially. What you learn at the top: restriction without enablement just accelerates shadow usage. Employees find workarounds. Legitimate use cases slow down.
Peak 3: Governance. Policy frameworks come next. Central controls get applied to defined use cases. Session-level enforcement gives security teams a lever. Audits become possible. What you learn at the top: policy without identity doesn't hold. You can't govern an actor you can't verify — and you still have no way to assign accountability.
Peak 4: Assurance. The complete picture — agents with verifiable identity, policy enforced inline, human supervisors in the loop for high-risk actions, and the ability to revoke, constrain, or shut down any agent instantly. This is where trust becomes operationalized, and where autonomous AI use cases become safe to scale.
Most enterprises are somewhere between peaks one and two. They've achieved some level of restriction and are building policy frameworks, but they don't yet have identity or accountability for the agents themselves. That gap matters more than it might appear. Governance without identity is structurally unenforceable. You can write policies about what agents are and aren't allowed to do. But if you can't verify which agent did what, who authorized it, or whether the action fell within any agreed scope — the policy is a document, not a control.
The Framework
An interesting anecdote from a recent conversation with an identity security leader: IAM teams are becoming the new HR for agents. Just as HR owns the policies, onboarding processes, and accountability structures for human employees, IAM teams are inheriting that same function for a non-human workforce that is growing faster, operating more autonomously, and touching more systems than any human workforce ever did.
Reaching the assurance peak requires a fundamentally different approach than what IAM and security teams are used to. Agents need their own identity model, their own scope of authority, and their own accountability chain. Three capabilities define a mature agent security posture — and they have to work together. Partial implementation of any one of them leaves the others ineffective.
Stop it at the source, not after the fact. Control has to start at the endpoint — where the agent process runs. Traffic-level controls are necessary but insufficient. An agent that can route around the gateway by going direct to an inference provider has already escaped governance. The only reliable control point is the endpoint itself, before the request ever leaves the machine.
No identity, no policy. No policy, no accountability. Every agent needs a verifiable identity bound to a human owner, a defined scope of authority, and a time-bounded delegation model. Without identity, there is no meaningful policy. "Allow agents to access CRM data" is not a policy — it's a hope. A named agent, with a verified scope, acting on behalf of a named human, within a defined window: that's enforceable.
Autonomy and accountability are not opposites, but they require deliberate design. High-risk actions need a human checkpoint. That checkpoint needs to be low-friction enough that it doesn't become a bottleneck, and high-integrity enough that approvals are cryptographically meaningful. A supervisor who can approve, deny, constrain, or terminate an agent in real time is what makes scale safe.
Agent Control Model
Control lives at two levels: the organization, and the agent.
One of the practical questions organizations ask when they reach the governance peak is: who actually owns the controls? The answer is that effective agent governance operates at two distinct levels — organizational controls set by administrators, and operational controls managed by the people deploying agents day to day.
The two layers are additive. Admin controls set the floor. Agent-owner controls narrow behavior within it. A team lead can configure an agent to be more restrictive than the org-wide default. She cannot configure it to be less. This is the architecture that lets security teams say yes rather than defaulting to no — and it's what makes AI adoption a shared infrastructure problem rather than a security-versus-productivity negotiation.
The organizations that will scale AI confidently are the ones that build the trust infrastructure that makes it safe to say yes — to more agents, more autonomy, more use cases — because every action is known, governed, and accountable.
Subscribe to our updates to receive expert insights and learn how HYPR's multi-factor verification and digital identity solutions can protect your business and customers.
Frequently Asked Questions
What is AI agent governance in enterprise security?
AI agent governance is the set of controls, policies, and enforcement mechanisms that determine what AI agents can do, on whose behalf, and with what level of human oversight. It encompasses agent identity — binding each agent to a verifiable human owner — authorization, which defines the scope of what an agent can access or invoke, policy enforcement applied at runtime before an action executes, and human supervision through a designated person who can approve, deny, or terminate an agent's actions in real time. Unlike governance for human users or traditional applications, AI agent governance must account for autonomous, machine-speed action across multiple systems simultaneously.
Why is existing IAM not sufficient for AI agents?
Existing IAM frameworks were designed for human users and static applications — identities that authenticate once, operate within predictable session boundaries, and take human-speed actions. AI agents are fundamentally different. They act autonomously, invoke tools dynamically, operate across multiple systems simultaneously, and generate real-world consequences at machine speed without a human in the loop. Service accounts and API keys — the closest existing constructs — lack delegation models, human accountability chains, and the ability to enforce policy inline at the moment of action. They also provide no mechanism for real-time supervision or emergency revocation tied to a specific agent's activity.
What is shadow AI in enterprise environments?
Shadow AI refers to AI tools and agents used by employees without organizational awareness or control — connecting directly to external inference providers without routing through enterprise security controls. It is the AI equivalent of shadow IT, and it emerges when employees adopt tools faster than security teams can evaluate and sanction them. The risk is that sensitive data leaves the organization through unmonitored channels, agent actions are taken without audit trails, and no accountability exists if something goes wrong. Restriction-only approaches to shadow AI tend to accelerate the problem rather than solve it, because they block sanctioned usage without providing a governed alternative.
What is the difference between AI agent observability and AI agent control?
Observability means you can see what agents are doing — logging API calls, detecting agent processes on endpoints, monitoring network traffic to inference providers. Control means you can enforce what agents are allowed to do and stop them from doing what they shouldn't. Most early AI security tooling focuses on observability because it is easier to implement and doesn't require intercepting or modifying agent behavior. But observability without control is a dashboard, not a security posture. An agent that can connect directly to an external inference provider is invisible to gateway-level monitoring. An agent that can bypass controls entirely is ungoverned regardless of how well you observe it after the fact.
What is the difference between admin-level and agent-owner-level controls for AI agents?
Admin-level controls are organization-wide policies set by security or IT administrators that apply to every agent in the enterprise regardless of who deployed it. They enforce automatically and cannot be overridden by individual users — examples include payment approval thresholds, prohibited tool categories, and mandatory audit logging. Agent-owner controls are per-agent configurations set by the person deploying a specific agent, defining how that agent behaves within the boundaries administrators have established. Examples include session time limits, tool scope restrictions, and supervisor designation. The two layers are additive: agent owners can make their agents more restrictive than the org-wide default but cannot make them less restrictive.
What does a mature enterprise AI agent security posture require?
A mature enterprise AI agent security posture requires four things working together. First, endpoint enforcement — security controls intercept agent traffic at the endpoint before it reaches external providers, making bypass impossible rather than just against policy. Second, agent identity — every agent has a verifiable identity bound to a named human supervisor with a defined and time-bounded scope of authority. Third, inline policy enforcement — policies are evaluated and enforced at the moment of action, not after the fact, so high-risk actions pause for human approval before executing. Fourth, real-time supervision — designated humans can approve, deny, constrain, or terminate any agent's actions instantly, with cryptographically signed approvals and a complete audit trail.
