AI Identity Governance: The Audit Gap You're Missing
AI
financial services
September 14, 2026· 8 min read

AI Identity Governance: The Audit Gap You're Missing

Most access reviews only audit human identities. But machine and AI identities now outnumber people 10:1. Here's why your compliance framework is already behind.

Your Access Review Is Missing 90% of Your Identities

You can't sign off on controls for identities you don't count. And most audit populations still only count people.

I was reviewing an access certification report last month for a mid-sized financial services client. Clean columns. Proper attestations. Every employee accounted for. The CISO was ready to sign off. Then I asked a simple question: "How many service accounts does this environment actually have?"

Silence. Then: "We'd have to check with IT."

The access review covered 847 human identities. The actual environment contained over 9,000 active credentials. The remaining 8,000+ were service accounts, API keys, automation scripts, and—increasingly—AI agents. All with permissions. All taking action. None of them in the audit population.

That gap isn't an IT problem anymore. It's a governance crisis hiding in plain sight.

The Madrid Signal

A small European startup called 8Layers just raised $2.9 million. Modest funding round. You've probably never heard of them. The money isn't the story.

The product is.

Their platform inventories four things as one population: human users, service accounts, APIs, and AI identities. Read that list again. An identity-security vendor, and the investors backing it, just put your employees and your AI agents in the same governance bucket.

That's the tell. Non-human identity moved from a technical edge case to a mainstream governance category. When venture capital starts funding the tooling, the market has already moved. The question isn't whether non-human identities matter—it's whether your audit framework has caught up.

The Last Time We Didn't Count Something

This isn't the first time audit populations lagged behind operational reality.

I started doing cloud security work in 2012. Back then, access reviews listed on-premises domain accounts. Meanwhile, marketing was spinning up Salesforce instances. Finance had Box accounts. Sales was running HubSpot. Each one provisioning users, storing data, processing transactions—all outside the enterprise identity system.

Nobody was lying. The audit just didn't have language for what was actually happening.

Shadow IT wasn't malicious. It was functional. The business needed to move faster than procurement and IT could provision. So it moved anyway. By the time governance frameworks adapted—by the time "SaaS management" became a product category—the average enterprise was already managing hundreds of cloud applications.

The pattern: operational reality changes first, then the tooling catches up, then the governance frameworks update, and finally the audit populations expand. That cycle takes years. And during that lag, you're certifying a subset while the unmanaged majority carries the risk.

AI identities are running the same play, one layer deeper.

What We're Not Counting

When I say "non-human identity," I'm not talking about theoretical risk. I'm talking about credentials that are logging in, executing transactions, and moving data right now:

  • Service accounts that run batch jobs, often with elevated privileges and passwords that haven't rotated in years

  • API keys embedded in applications, granting programmatic access to databases, cloud storage, payment systems

  • Automation scripts that provision infrastructure, deploy code, modify configurations—often with admin rights

  • AI agents that read email, draft responses, query databases, update CRM records, and increasingly make decisions without human review

In every environment I've assessed in the past two years, machine identities outnumber human identities by at least ten to one. In cloud-native organizations, that ratio climbs to thirty or forty to one.

And in every single access review, the audit population lists employees.

As if the bots don't have keys.

The Compliance Story You're Telling vs. The System You're Running

Here's the uncomfortable part. Your SOC 2 report, your ISO certification, your internal audit—all of them attest to "user access reviews." You're certifying that the right people have the right access. You're recertifying quarterly or annually. You're remediating exceptions.

And all of that is true. For the 10% of identities that are human.

You can't audit a population you don't count. That's not a snarky line. It's a literal control failure. If your control population excludes 90% of the active credentials in your environment, your attestation describes a system that doesn't exist.

I watched this exact scenario play out during an external audit last year. The auditor asked for the access review. The client provided it—847 users, all certified. Then the auditor asked to see the service account inventory. Long pause. IT eventually produced a spreadsheet with 200 accounts. The auditor asked how they knew it was complete. Another long pause.

The audit finding wasn't that controls were weak. It was that the control population was undefined. You can't test the operating effectiveness of a control when you don't know what's in scope.

Why This Got Urgent in 2024

Machine identities have been around for decades. Service accounts aren't new. APIs aren't new. So why does this matter now?

Two reasons.

First, AI agents crossed the autonomy threshold. A service account runs a script someone wrote. An AI agent makes decisions in real time based on context. It reads your email. It interprets intent. It queries your ERP system and drafts a response. That's not a batch job. That's an actor.

When an AI agent has API access to your financial systems, it's functionally indistinguishable from an employee—but it's not in your access review, it's not covered by your offboarding process, and it's probably not logging actions in a way your SIEM can parse.

Second, regulators are starting to ask. The SEC's 2024 cybersecurity disclosure rules require material incident reporting. The EU's Digital Operational Resilience Act (DORA) mandates ICT risk management, including identity and access controls. When auditors start pressure-testing your identity governance, "we manage human access" won't be a sufficient answer if the breach came from a compromised API key.

The One Question You Need to Ask Monday Morning

Pull your last access review. Open the spreadsheet. Count the rows that represent human users.

Now ask your infrastructure team: How many active credentials exist in this environment?

The gap between those two numbers is your unmanaged attack surface. And it's the number the auditor is going to circle.

If you don't have an answer, you're not alone. Most organizations don't. But that's changing fast. The tooling exists now—8Layers isn't the only vendor in this space, just the most recent signal that the market has moved. CyberArk, HashiCorp, and others have been building machine identity management for years.

The question isn't whether the tools are available. It's whether your governance framework has expanded to include what those tools are managing.

What to Do (Specifically)

If you're responsible for access governance, internal audit, or compliance:

  1. Inventory non-human identities as a separate population. Don't bolt it onto your employee access review. It's a different control, different risk profile, different ownership model.

  2. Define ownership for machine identities the way you define it for humans. Every service account, API key, and AI agent should have a technical owner and a business owner. If it doesn't, it's orphaned—and orphaned credentials are the ones that never get deprovisioned.

  3. Add non-human identity to your next SOC 2 or ISO scope conversation. Ask your auditor explicitly: Does our user access review control cover machine and AI identities, or just employees? If the answer is "just employees," that's a scoping gap, not a control deficiency—but it needs to be on the remediation roadmap.

  4. Test one use case. Pick one AI agent or service account with sensitive access. Map it to a business process. Identify the owner. Document the access. Run a mini access review on just that one identity. See where the process breaks. That's your blueprint for scaling.

You don't need to solve this in Q1. But you need to count the problem. Because the next external audit is going to ask, and "we're working on it" only works once.

The Uncomfortable Truth

We spent the last twenty years perfecting human identity governance. Joiners, movers, leavers. Role-based access control. Privileged access management. Certification workflows. We built entire frameworks around the assumption that identities are people.

And then we automated everything.

The machines didn't wait for the governance model to catch up. They never do. They multiplied quietly in the background while we certified spreadsheets that listed employees.

Nobody gets fired the day the bots arrive. The audit just slowly stops describing the system you're actually running.

The good news? You've done this before. You adapted when cloud broke the perimeter. You adapted when SaaS exploded the application portfolio. You'll adapt to this.

But adaptation starts with counting. And right now, most organizations aren't counting.

So pull that access review. Count the rows. And ask the uncomfortable question: If 90% of our identities aren't in the audit population, what are we actually certifying?

That's the number the next auditor is going to want to see.

Get More Insights
Join thousands of professionals getting strategic insights on blockchain and AI.

More Ai Posts

August 14, 2026

The AI Pricing Time Bomb: Your Strategy

You're paying 2% of true AI costs. Learn what happens when OpenAI and Anthropic reprice subscriptions and how to future-...

February 23, 2026

Why Solo AI Builders Are Your Market Canaries

Solo developers using AI are discovering pricing models and tools enterprises will demand in 2-3 years. Watch them to pr...

December 22, 2025

Stop Waiting for AI: Your Competition Already Started

AI disruption isn't coming tomorrow—it's happening now. While most companies debate, competitors are shipping. Here's wh...