As organizations rush to deploy agentic AI, their identity systems built for humans are struggling to govern a rising tide of machine identities, and most still can’t define what it would take to keep the business running after an attack.
The identity crisis nobody saw coming
When companies began rolling out AI agents at scale, they expected productivity gains. What they didn’t expect was a governance nightmare.
According to a new Commvault-sponsored survey from International Data Corporation (IDC), 90% of IT and resilience decision-makers say their organizations need to improve identity management capabilities to address risks posed by agentic AI systems.
The problem? Non-human identities — AI agents with always-on access that can multiply on demand — are rapidly outnumbering human users, and the systems designed to manage people aren’t equipped to handle them.
IDC’s survey of 539 North American organizations found that more than half of respondents (58.7%) say significant improvements or a complete overhaul of their identity-management approach is required. Meanwhile, only 26.7% have implemented dynamic role-based identity access controls designed to support AI and analytics.
“AI is fundamentally changing how organizations operate, make decisions, and manage risk,” said Vidya Shankaran, field CTO at Commvault.
“But many organizations are discovering that the systems designed to govern people are not prepared to govern a growing population of AI agents, machine identities, and autonomous workflows. Identity is a critical Tier 0 application and has a pivotal role to play in an organization’s confidence in a clean recovery,” Shankaran added.
Recovery readiness remains uneven
Beyond identity management, the survey found that many organizations have yet to define the minimum set of business operations they must restore first after a cyberattack.
According to IDC, 57.7% of organizations have not fully defined their minimum viable business (MVB), which the survey described as the essential systems, processes, and functions required to continue serving customers during a disruption. The survey also pointed to gaps in recovery orchestration, cleanroom deployments, and broader cyber resilience capabilities.
IDC also found that only 26% of organizations have a unified backup platform with centralized policy management, while just 35.4% have automated identification of clean recovery points. In addition, nearly 60% reported having limited or no cleanroom implementation, and only 22.6% have deployed context-based malware scanning to validate recovery data before restoring it to production.
IDC sees resilience operations becoming a mainstream discipline
To address these issues, IDC recommends adopting resilience operations (ResOps), a cross-functional operating model combining business continuity, cybersecurity, infrastructure, data protection, and disaster recovery into a common recovery strategy.
The firm expects ResOps to gain broader adoption in the next several years as organizations prepare for increasingly complex AI-driven threats.
“IDC predicts that ResOps will mature from an emerging discipline into a mainstream enterprise capability over the next three to five years,” said Frank Dickson, group vice president for IDC’s security and trust research practice.
“Organizations that build the governance structures, technical capabilities, and testing disciplines now, before the next major incident, will be better positioned to absorb disruption, protect their customers, and sustain competitive operations in an increasingly hostile threat environment.”
Cyber readiness assessment launched
Alongside the survey, Commvault announced the IDC Cyber Readiness Assessment, an interactive tool based on the same maturity framework used in the survey. The assessment is designed to help organizations measure their preparedness across identity, protection, detection, response, and recovery, and determine areas for improvement.





