Omada: C-suite and practitioners disagree on agent identity controls

A new Omada survey of identity governance leaders finds that 48 percent of C-level respondents report assigning unique identities to AI agents, while the broader respondent population disagrees about how consistently that practice is applied. The gap is the story.

The data lands on the same morning that IDC reiterated its prediction that 45 percent of companies will orchestrate AI agents at scale and embed them across business functions by 2030. Adoption is no longer hypothetical, but the controls that should travel with that adoption are still catching up. The new IGA report from Omada, summarized in a Cybersecurity Insiders analysis on the C-suite identity governance gap, puts numbers on a pattern that practitioners have been describing for months: the executive view of agent identity hygiene is rosier than the day-to-day reality.

Non-human identities now outnumber human identities by 50 to 1 or more in most organizations, the report notes, yet ownership of those identities is fragmented across teams. Every autonomous agent is also a credential that can be stolen, replayed, or quietly left behind when the project that created it shuts down. The standard identity governance model was built for the human side of that population. The machine side is mostly new ground.

The identity gap on credential rotation

The strongest single finding in the Omada report is the disconnect between how C-level respondents describe their credential practices and how the broader respondent pool describes the same thing. 48 percent of executives say they are using rotating short-lived credentials and unique identities for AI agents, a much higher figure than the overall response. The same survey also finds 76 percent of participants strongly agree that identity security is a core cybersecurity strategy, a number that suggests the strategic intent is in place. The execution is the part that has not caught up.

That gap matters because the consequences compound quickly. An agent with a static credential can outlive the project that minted it, keep calling APIs long after the team that created it has moved on, and quietly accumulate entitlements it was never supposed to hold. Credential hygiene is the kind of problem that looks fine on a slide and surfaces only when an incident has already happened. The pattern matches the broader agent-security story that Forrester analysts laid out at Identiverse 2026, where the recurring takeaway was that the surface area for AI agents is now structurally different from the surface area for human users.

Why ownership fragmentation keeps getting worse

The second pattern in the report is structural. Identity data for non-human identities is dispersed across platforms, and ownership of those identities is often distributed across multiple teams. In some organizations the security team owns the policy, the platform team owns the runtime, the application team owns the agent itself, and nobody owns the credential that ties the agent to the data it can reach. That is the same model that worked for service accounts a decade ago, scaled up to thousands of agents per application.

The report argues that this fragmentation is the real blocker. Tools alone will not fix it. The point is that identity governance has to become a strategic control surface, with executive-level visibility and consistent ownership, before agentic systems scale beyond safe oversight. Companies that do this will be better positioned to manage the next phase of agent deployment. Companies that treat it as a tooling problem will find it increasingly difficult to explain or trust the access decisions that agents are making.

The control recommendations that emerge are mostly unglamorous. Move identity ownership closer to the agent platform so the team that creates the agent also owns the credential. Treat short-lived credentials as the default and static keys as an exception that requires a written reason. Audit the non-human identity population on a schedule, not after an incident. Build an inventory that the security team can actually read, not a spreadsheet that a single engineer maintains by hand. None of this is novel. The interesting question is why so few organizations have done it.

Governance maturity is the new perimeter

The deeper argument in the Omada report is that the perimeter for AI agent security is not the network boundary and not the model boundary, it is the governance layer. Identity is the operating layer that underpins zero trust, automation, and AI-enabled workflows. Visibility has to shift from activity to exposure, from logs that show what an agent did to inventories that show what an agent could do.

That framing is consistent with how the rest of the agent-security story has been developing in 2026. The Beyond Identity Ceros launch and the AppViewX Agent Identity Security product both treat non-human identity as a first-class control surface. Cisco's intent to acquire WideField Security, announced the same week, is a signal that the major platforms are also starting to take this seriously. The Omada report is the demand-side data point that explains why the supply side is moving.

The risk if governance does not catch up is straightforward. Autonomous agents create and change access apart from human direction. Small gaps in control continue and expand unseen. By the time the gap is visible, the blast radius is already wider than the response team can reach. The identity mirage is what that looks like from the executive floor. The C-suite sees a control surface that is mostly working. The practitioners see the gaps that are not on the slide. The Omada survey is the first time that gap has been measured at scale, and the number is not small.

For organizations that want to close the gap, the Enterprise AI Governance Checklist for 2026 is the practical starting point. Treat identity as an ongoing, machine-driven operating layer. Move beyond fragmented tooling toward operational coherence. Govern at the speed of automation, or accept that the agents will outpace the controls. The choice is no longer about whether identity matters. It is about whether governance can match the speed at which the agents already operate.

The Omada report frames this as the choice between treating identity as a slide on a quarterly review or as the operating layer that the next phase of automation will run on. For the C-suite, the cost of getting it wrong is the kind of incident that does not show up in the survey data, because the survey was taken before the incident happened. For the practitioners, the cost is being the one who has to explain it.