Agentic workforce is scaling faster than identity and security frameworks can adapt

The latest survey report from the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, has found that while organizations are eager to harness the efficiencies brought about by AI agents, traditional human-centric Identity and Access Management (IAM) architectures aren’t capable of keeping up with agentic behavior. According to the Securing Autonomous AI Agents survey report, which was commissioned by Strata Identity, more than half of organizations (84%) doubted they could pass a compliance audit focused on agent behavior or access controls.

“The agentic workforce is scaling faster than identity and security frameworks can adapt. Success in the agentic era will hinge on treating agent identity with the same rigor historically reserved for human users, enabling secure autonomy at enterprise scale,” said Hillary Baron, AVP of Research, Cloud Security Alliance.

Among the survey’s key findings:

• Agent adoption is expected to surge in the next 12 months. Whereas, 58% of organizations estimate that currently they have between 1–100 agents deployed, by this time next year, over 70% expect to be managing anywhere from dozens to hundreds—39% expect between 1–100 and another 31% expect between 101–500. These values also highlight confusion in what constitutes the definition of a truly “autonomous AI agent.”
• Confidence in IAM for Agents is low. Only 18% of respondents say they are “highly confident” their current IAM systems can manage agent identities effectively, while the majority express only moderate (35%) or slight (29%) confidence, and another 18% report no or uncertain confidence.
• Static credentials and fragmented controls expose agents to risk. Rather than implementing purpose-built, runtime authorization aligned to agent intent and context, nearly half of organizations are extending human IAM models to govern agent behavior, resulting in mismatched privilege boundaries and unclear accountability. Forty-four percent stated they use or plan to use static API keys, while 43% reported using or planning to use username and password combinations.
• Discovery and traceability are blind spots. Most enterprises are retrofitting existing tools rather than deploying purpose-built systems for agent discovery and governance, leaving them able to see some agents some of the time, but rarely in one place or in real time. Only 21% of organizations maintain a real-time registry or inventory of their agents and less than a third (28%) can reliably trace agent actions to a human or system across all environments.
• Maturity is lagging, but investments are rising. Cognizant of the security and governance gaps that have been exposed as a result of AI agent adoption, 40% of organizations reported that they are increasing their overall identity and security budgets to accommodate AI agents, with 34% allocating a dedicated budget line and another 22% reallocating funds from other security areas.

“This survey shows that enterprises are coming to realize that securing AI agents isn’t just about tweaking existing IAM processes, rather it requires rethinking identity architecture altogether. Static credentials, manual provisioning, and siloed policies can’t keep pace with the speed and autonomy of agentic systems. The future of identity must be orchestrated, contextual, and continuous, enabling real-time authentication, authorization, and auditing wherever agents operate,” said Eric Olden, Co-founder & CEO, Strata Identity.

Strata commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding identity controls for autonomous AI agents. Strata financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in September and October 2025 and received 285 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.

Download the Securing Autonomous AI Agents survey report.

About Strata Identity

Strata Identity enables organizations to orchestrate and modernize human and agent identities without disrupting existing infrastructure while maintaining a frictionless user experience. By decoupling identity from applications, Strata’s Maverics platform unifies SSO, can rationalize redundant IdPs, and ensures continuous access during outages via IdP failover. It enables organizations to extend Zero Trust controls across human, machine, and autonomous AI identities. Learn more at Strata.io and follow us on LinkedIn and YouTube.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading not-for-profit organization committed to awareness, practical implementation, and credentialing of forward-looking cybersecurity topics, including AI, cloud, and Zero Trust. In an era where digital transformation drives business success, CSA stands as the global authority ensuring organizations can operate securely while harnessing cutting-edge technology. Through volunteer-driven research, globally-accepted standards, and award-winning vendor-neutral education programs that unite technical experts, industry practitioners, and varied associations, governments, chapters, and corporate members, CSA bridges the gap between innovation and pragmatic security execution. Visit CSA’s website to learn more.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260205564741/en/

More than half of organizations (84%) doubted they could pass a compliance audit focused on agent behavior or access controls.