Identity Security Management Day dropped a number that should embarrass every CISO reading this: 92% of organizations fail to rotate non-human identity credentials on a 90-day cycle. Fifty-nine percent rotate fewer than half of their machine credentials quarterly.
These aren't legacy system passwords. These are AI agent credentials — the keys that let autonomous systems access databases, APIs, customer records, and production infrastructure. Seventy-six percent of organizations now have non-human identities generated by AI agents and automations, according to the same survey. The machines have the keys. Nobody's changing the locks.
The timing makes this worse. Okta announced general availability of its AI Agents product. Cisco is spending up to $350 million to acquire Astrix Security for agent discovery. AWS launched an Agent Registry to centralize agent governance. Three major infrastructure plays in one quarter, all building control planes for a world of autonomous agents.
Every one of those platforms assumes someone has already decided which agents should have which credentials, for how long, and under what conditions. The access control layer is arriving. The access design layer is not.
This is the pattern: the industry funds enforcement before it funds the thinking that enforcement depends on. $392 million in agent security funding since RSAC. Identity management going GA. Discovery tools consolidating. All of it enforcing rules that — for 92% of organizations — haven't been written yet.
Credential rotation is not a security operations problem. It is a governance design problem. Who decided this agent needs persistent access to that system? Who reviewed whether the access scope is appropriate? Who documented the conditions under which access should be revoked? Those questions live upstream of every SIEM alert and every identity platform.
The enforcement stack keeps getting taller. The foundation underneath it — the actual decisions about how autonomous systems should behave — is still missing for almost everyone.
The credential crisis isn't that agents have too much access. It's that nobody designed the rules for access in the first place.
Sources: Infosecurity Magazine, 14 April 2026 (Identity Security Management Day NHI survey — 76% NHI growth, 92% rotation failure, 59% less than half rotated). Cisco-Astrix: TechStartups, 10 April 2026. Okta: official announcement, April 2026. AWS Agent Registry: Dataconomy, 14 April 2026.
What would your governance audit find? wyrework.ai