Attackers and State-sponsored groups have for years used automated tools against cloud infrastructure. But the speed of that threat has with the advancements in AI changed structurally.
VulnCheck data cited in Sysdig's 2026 Cloud Native Security and Usage Report shows that in 2018, attackers took nearly a year to weaponize disclosed vulnerabilities. By 2023 it was eight days. At the end of 2025, React2Shell was being actively exploited only hours after public disclosure. The offensive timeline has effectively collapsed to real time, and any security process that involves human review now introduces exploitable delay. But the governance exposure falls on the defensive side of the equation. Organizations are deploying autonomous security agents across their cloud environments with governance models designed for a different population entirely, one that barely exists in those environments anymore.
Sysdig's report captures the scale of that shift with a single data point. Human users now account for just 2.8 percent of managed identities in cloud environments. Service accounts, workload identities, and agentic systems that create and consume identities on their own make up the rest. Emanuela Zaccone, AI and Cybersecurity Product Strategist at Sysdig, argues that the number marks a design failure rather than a technology milestone. "When more than 97% of the identities in your environment are non-human, the assumption that a human will be in the path of every meaningful decision stops being realistic. The volume, speed, and lifespan of these identities do not match what a human-centered governance model can absorb. Service accounts spin up, act, and disappear in seconds." The consequence is quite structural, so governance has to shift from approval-based to evidence-based, from asking whether a human authorized an action to asking whether a human governed it. And that distinction requires continuous, runtime-grounded evidence of what every identity is actually doing.
Agents Come With No Owner Attached
Identity management has hit the same human scale limit as vulnerability management according to Sysdig report. Mapping who can access what across environments and services is no longer sustainable with periodic review and static policy audits. And agents are compounding a problem that already existed.
The first element of the governance model to fail when agents enter the picture is identity ownership. Alexis Moyse, CEO and Co-Founder at Clarity Security, describes the breakdown in precise terms. "Every governance model I've seen is built on one foundational assumption: every identity has an owner. Someone who provisioned it, someone accountable for what it does, someone who notices when it starts behaving in ways it shouldn't. That assumption holds reasonably well for human identities, but the moment agents enter the picture, it falls apart." Agents get deployed fast, by development teams, by third-party platforms, by business units that connected a tool before the security function was aware. There is no provisioning process, no joiner workflow, no scheduled access review, and no offboarding trigger when the project they were built for gets deprecated or the vendor relationship ends.
Moyse traces a direct line to the orphaned service account problem that predates agentic AI entirely. But where an orphaned service account accumulates permissions and sits dormant, an agent with no named owner accumulates the same permissions and then acts on them continuously, making decisions and touching data in ways that produce serious consequences before anyone notices the accountability trail leads nowhere.
The fix is not a new tool. It is applying the identity governance disciplines that already exist for human principals to non-human ones with equal rigor. Every agent identity should go through a provisioning process that assigns a named owner before deployment. Access reviews for non-human identities should run on the same cadence as those for human accounts. And a decommission workflow should trigger automatically when the business purpose the agent was built to serve reaches its end. Organizations that treat agent identities as a separate class exempt from governance procedures will find the ownership gap compounding with every new deployment.
Nobody Is Clearly Accountable When Agents Get It Wrong
When an autonomous agent acts on a detection and gets it wrong, the question of who answers for it has no clean answer under current regulatory frameworks. Kayne McGladrey, senior IEEE member and independent cybersecurity advisor, describes what accountability looks like in practice today. "If and when an agent takes the wrong action, responsibility ends up distributed across the vendor, the security team that deployed it, and the owner of the impacted system, but liability is not clearly assigned. Frameworks like the NIST AI RMF and the EU AI Act focus on governance and oversight processes, not incident-level attribution."
McGladrey references OCC guidance published in April 2026, which excluded generative and agentic AI from its revised model risk framework but directed banks to apply broader governance practices to those tools regardless. He reads that framing as an early sign of where regulatory pressure is moving. But that regulatory direction has not resolved into a clear attribution model, which means most organizations maintain a human in the approval path for consequential actions despite the fact that doing so erodes the speed advantage that justified deploying the agent in the first place.
Stanislav Kazanov, Head of GRC, Cybersecurity and Sustainability at Innowise, frames the regulatory exposure more sharply through the lens of NIS2 and DORA. Regulators enforcing those directives will reject the argument that the AI made a mistake as justification for a significant service outage or data incident. "The manufacturers of security products promote them as having no liability since they will operate as autonomous team members under the terms and conditions of use. You will be accountable for anything done by the machine regardless of the fact that it operates at an auditing speed other than your own and therefore you have no way to validate."
Kazanov advocates for containment architectures that segment machine activity into micro-isolated zones where the agent's actions can be stopped before they produce irreversible consequences. The specific examples include purging a routing table, dropping a database, and revoking an identity token, all actions an over-permissioned agent can reach. Organizations need hard technical controls that prevent those actions from executing until a human has had the opportunity to review them.
Zaccone's accountability framework at Sysdig offers a workable model for structuring that chain before an incident forces the question. The agent is accountable for transparency, meaning every action it takes or proposes is logged with full context including the data it reasoned over and the skill it invoked. The human approver is accountable for consequential decisions, meaning the agent does not change state in the environment without explicit approval, so there is always a named party behind any material action. And the vendor carries accountability for the quality of the detection logic that grounds those decisions. "What this model rules out is the comfortable fiction that the AI did it. The AI did not. Someone deployed the skill, someone approved the action, and someone built the detection." The accountability model that holds under enterprise scrutiny is the one where each of those actors is identifiable and the evidence is preserved in a form that can be reconstructed after the fact.
Least Privilege Breaks at Inference Time
The technical failure beneath the governance and accountability gaps is a structural problem in how permissions are built for autonomous systems. Ivan Milenkovic, VP Risk Technology EMEA at Qualys, describes the breakdown at the identity layer with precision. "Most governance models were built for predictable principals: humans, or tightly scoped service accounts. Agents don't behave that way. They decide which APIs to call dynamically, chain actions across systems, and operate with credentials that look like service accounts but behave more like humans with broad latitude. Least privilege breaks down when permissions are effectively decided at inference time rather than predefined in policy."
The Sysdig report thankfully puts numbers on exactly how broken the baseline already is. On average, 67 percent of user identities across all CSPs carry at least one risk classification. Among machine identities, 45.1 percent of AWS roles, 48.2 percent of GCP service accounts, and 38.4 percent of Azure machine identities meet the risk threshold. That is the environment agents inherit when they are deployed. They then operate inside it at machine speed, with the same overpermissioned footprint that was already there before they arrived. And if an attacker succeeds in compromising the agent's context window or poisoning its telemetry source, the agent's legitimate access becomes their operational capability, used against the organization with full authorization. Milenkovic's recommended architecture draws a hard boundary between the cognitive layer and the control plane. Agents recommend at machine speed. Policy engines remain the system of record for what is actually permitted. And every action carries a provenance trail that can be audited after the fact.
Kazanov (of Innowise) extends that scoping argument to a concrete operational model. An agent needing to apply a patch to a specific container should receive a token granting access to that container alone for sixty seconds and nothing beyond. That level of granularity is demanding to design and maintain, but it is the only model that constrains the blast radius of a wrong action to something an organization can recover from without a regulatory conversation. The alternative, issuing broad standing permissions and trusting the agent to self-limit, is the architecture that produces the major incidents before governance frameworks are ready to absorb them.
Speed at Detection, Hard Gates at the Blast Radius
The governance architecture that works for agentic security operating at machine speed does not try to slow it down everywhere. It draws a principled boundary around which decisions agents can make autonomously and which ones require a human gate. The Sysdig report also shows exactly where organizations currently stand on that boundary, with 75 percent having automated response actions configured for their detection policies but only 27 percent with those responses actively implemented. Most organizations are sitting at the threshold, with the capability switched on but not trusted enough to fire. That gap is not a technology problem. It is a governance problem, and it will not close until organizations have a principled model for which actions agents can take autonomously and which ones need a human in the chain.
Raphael Peyret, who led product at Horangi Cyber Security through its acquisition by Bitdefender and now advises security leaders through SHA/RP, locates the correct boundary with precision. "The defensive architecture that works doesn't try to match attacker autonomy everywhere. It draws a hard line around the operations where getting it wrong is too expensive: credential revocation, network segmentation, bulk quarantine, anything irreversible at infrastructure level. Triage, enrichment, alert prioritization can run at machine speed. High-stakes irreversible operations need a human, because the blast radius of a confident wrong call is too large to accept probabilistically." The governance problem worth solving is not whether the agent can move fast enough. It is what happens when it moves fast and gets it wrong, and whether the organization designed the architecture to absorb that outcome before it became a crisis.
Pavan Madduri, Senior Cloud Platform Engineer at W.W. Grainger and CNCF Golden Kubestronaut, applies the same principle at the infrastructure layer through Policy-as-Code. His team learned through evaluating autonomous remediation tooling that the agent with the broadest permissions responds fastest but also causes the most damage when it misclassifies.
The solution was to build the governance model into the infrastructure itself, not into a document. "We enforce this with Policy-as-Code at the admission layer, so the agent's available responses are constrained by the infrastructure itself, not by a governance doc that someone wrote once and nobody checks. The agent can isolate a namespace, rotate credentials, open a ticket. It cannot touch cross-environment infrastructure without a human approval token in the chain. Speed lives in detection. Human judgment lives at the blast radius boundary." Policy-as-Code makes the governance model structural and enforced by the system. A governance document depends on the agent respecting it. Infrastructure constraints do not give the agent the option.
Enforcement Belongs at the Data Layer
Ganesh Kirti, Founder and CTO at TrustLogix, argues that the industry has concentrated attention on the wrong layer entirely. Authentication establishes who the agent is. It says nothing about whether what the agent is doing at this moment, against this data, under this context, falls within the authorized scope of its purpose. "Agents operate with broad, persistent entitlements that were designed for batch pipelines and service accounts, not for autonomous systems making thousands of access decisions per minute. When an agent with read access to your enterprise data lake starts querying tables it has never touched, in a pattern that does not match any prior job, your identity layer has no visibility into that. Your IAM solution issued the credential. Your IAM solution has nothing further to say." Moving enforcement to the data layer means evaluating every request in context against a policy that understands purpose, not just identity.
Security teams that implement this shift bring the governance model into real-time alignment with the actual behavior of autonomous systems rather than the theoretical behavior that was assumed at provisioning time. That is the difference between governance that follows an agent's actions and governance that constrains them.
The Governance Gap Has Consequences Beyond Enterprise Risk
The governance gap in agentic cloud security is not purely an enterprise risk management problem. Offensive state actors and capable threat groups already run autonomous agents to scan, enumerate, and exploit cloud infrastructure at a scale and speed that human-operated defensive architectures were not built to match. The exposure those actors are finding in cloud environments is not primarily a capability gap on the defensive side. It is a governance gap, sitting in the accountability structures, identity ownership practices, and permission architectures that organizations have not updated to account for a principal population that is now 97 percent non-human.
Organizations that resolve the ownership, accountability, and authorization gaps now will be far better positioned when the first major agentic cloud incident forces the question into public view. As Peyret observes, the dangerous failure mode is not an AI going rogue. It is an AI acting correctly on inputs that were already broken before it arrived, operating inside an environment where least privilege is a policy document rather than a description of reality, watched by a team with no way to reconstruct what happened or who is responsible after the fact. The governance architecture matters as much as the model capability. And for organizations operating in regulated sectors or critical infrastructure, that is not an internal design preference. It is the difference between demonstrating that autonomous systems operate under meaningful human oversight and discovering, after the fact, that the accountability trail the regulator is looking for leads nowhere.
Note: This analysis was not commissioned or sponsored by Sysdig or any company. We referenced the 2026 Cloud Native Security and Usage Report as a primary source, as we would for any credible industry research.
