JumpCloud Report Finds AI Agent Security Gaps Widening

JumpCloud, the IT management platform company, released its Agentic IAM Pulse Report on Tuesday, drawing on responses from 261 IT, security, and identity decision-makers at organizations with 200-2,500 employees across the United States and the United Kingdom. 

The findings reveal a widening gap between how aggressively companies are deploying AI agents and how little governance infrastructure they have in place to manage them.

AI agents move into business-critical workflows

Nearly three-quarters (72%) of organizations surveyed already have AI agents running in production environments. Of those, 31% have moved AI agents into business-critical workflows, including financial reporting, HR provisioning, and customer-facing systems. 

Only 28% of organizations say they’re still in the testing phase.

The scale of these deployments is growing fast. On average, organizations report 15.8 AI agents actively interacting with internal systems or APIs. Among companies running agents in business-critical environments, the average climbs to 20.3.

Non-human identities are reshaping IAM

One of the more striking shifts is happening in identity management itself. AI agents are rapidly becoming the dominant users inside enterprise systems. 

The report finds that 53% of organizations already have more non-human identities than employees, while 23% report having at least 6 times as many non-human identities as human users.

This marks a fundamental change for identity and access management (IAM), which was originally designed around human users.

Agent access is expanding as oversight declines

The governance picture grows more worrying when you consider what AI agents can actually do within these organizations.

According to the report, 66% of organizations give AI agents equal or greater system access than human users. In business-critical environments, 38% of organizations grant agents “significantly more access” than they grant to their human colleagues.

Despite this high level of access, human oversight is actually declining as the stakes rise. 

While 48% of companies in the testing phase require a “human-in-the-loop” for high-risk actions, that number falls to just 29% once the agents are deployed in critical roles.

Governance gaps limit AI scale

While companies are rushing to deploy AI, the brakes aren’t being installed at the same speed. JumpCloud notes that “access is only part of the governance problem.” 

The report finds that 55% of organizations lack a centralized kill switch to stop an AI agent if something goes wrong. Instead, 33% of IT leaders say their only option is to manually disable agents system by system. 

Visibility is another major blind spot: 59% of organizations admit they lack centralized visibility into what their agents are actually doing.

It also turns out that “control is becoming the main limit on scale” for most businesses. About 92% of organizations say they are hitting limits when trying to scale their AI use, and 26% cite security concerns as the single biggest barrier to doing more with the technology. 

Other barriers include integration complexity (16%), budget constraints (13%), compliance or regulatory risk (13%), and skills gaps (12%).

A tale of two strategies: US vs. UK

The report highlights a clear difference in how the US and UK are handling this AI boom. 

US companies are moving faster but taking more risks, with 16% allowing agents full autonomy for high-risk actions, compared to just 8% in the UK. 

On the flip side, 64% of UK organizations insist on human-in-the-loop approvals, while only 52% of US companies do.

This geographical divide is important for channel partners working internationally to keep in mind when advising customers on best practices moving forward. 

JumpCloud’s data suggests that customers in the UK are prepared for, and likely expecting, a conversation about human-involved workflow strategies. US customers, on the other hand, might not be as willing to hear about risk mitigation.

Channel partners face a growing advisory opportunity

JumpCloud’s report closes with a four-stage governance framework that it says organizations should work through to close the gap: 

• Discover: Build a full inventory of what agents are running and what they can access. 
• Register: Give each agent a formal identity record with a named human owner. 
• Manage: Apply least-privilege access, replace long-lived credentials with time-bound or secretless alternatives, and establish a centralized shutoff capability. 
• Govern: Maintain logs and audit trails, and conduct regular access reviews over time.

The core argument is that companies that get governance in place first will be the ones that can scale AI confidently. Those who don’t will find their most powerful tools have become their biggest liabilities.

For channel partners, the framework is also a helpful reminder of how to advise customers on their AI deployments.

Watch: Learn more about how some channel partners are enabling secure AI adoption in this episode of CI: PPOV featuring Spyglass MTG CEO Lori Albert.