Ninety-one percent of organizations now run AI agents in production. Twenty-three percent have a formal enterprise-wide ownership strategy for those agents [ConductorOne 2026 Future of Identity Report]. Ninety-five percent run agents that autonomously perform IT or security tasks. Eighteen percent of security leaders express high confidence that their existing identity systems can handle agent identities [ConductorOne 2026 Future of Identity Report]. The gap between deployment and governance is the largest unmanaged risk in the 2026 enterprise security stack, and the gap is structural: nobody owns it.
The conversation a chief information security officer cannot have at the board level today is the one that names who is accountable when an AI agent does something it should not have been able to do. The identity and access management team says AI agents are governance. The AI governance team says AI agents are identity. The agents continue to provision themselves into systems both teams thought the other was monitoring. When the incident happens, the after-action review produces a finding that nobody had clear ownership.
This article gives you the complete responsibility, accountability, consulted, and informed framework for the seven AI-agent identity functions, plus the four cross-team escalation paths for the scenarios where ownership is genuinely shared. It is written for the CISO who has to brief the board next month on who is accountable when an agent does something it should not have been able to do.
Bottom Line Up Front. Ninety-one percent of organizations run AI agents. Twenty-three percent have an enterprise-wide ownership strategy [ConductorOne 2026 Future of Identity Report]. The gap between those two numbers is where agent provisioning falls between the IAM team and the AI governance team, and it is also where most agent incidents start. This article gives you the complete RACI for the seven AI-agent identity functions: provisioning, ownership, access reviews, behavioral monitoring, kill switches, deprovisioning, and audit. It also gives you the four cross-team escalation paths for the scenarios where ownership is genuinely shared. It is written for the CISO who has to brief the board next month on who is accountable when an agent does something it should not have been able to do.
Why the Gap Exists
AI agents are a new identity class. They are not human users, and the controls designed for human identities (password policies, single sign-on, multi-factor authentication, joiner-mover-leaver workflows) do not map cleanly to them. They are not service accounts in the traditional sense, and the controls designed for service accounts (rotation policies, vault management, scoped credentials) only partially map. They are also not bots in the older robotic process automation sense, where a tool ran a defined script.
Agents act on goals rather than scripts. They acquire credentials dynamically. They invoke tools, integrate with other agents, and take actions whose specifics are not predictable from the goal. Their identity must be governed in real time because their actions are taken in real time. The traditional identity framework’s batch cadence (quarterly access reviews, monthly entitlement reports, annual recertification) cannot keep pace.
The IAM team is built around human identity at scale and service-account identity in static configurations. The team has the tooling, the directory infrastructure, and the governance processes for those identity classes. The AI governance team is built around model risk, evaluation, and policy compliance. The team has the tooling, the testing infrastructure, and the policy framework for AI behavior.
Neither team was designed to govern an autonomous identity that operates with delegated authority and dynamic behavior. The honest answer is that the function falls between them, and an enterprise-wide RACI is the only way to close the gap. Ad hoc handoffs do not scale to the volume of agents organizations are now deploying.
The Seven Functions
Agent identity governance has seven distinct functions. Each function maps to a different team, sometimes to multiple teams, sometimes with primary and secondary accountability. The RACI table below is the default; specific organizations adjust based on their structure, but the structural assignments are stable across most enterprise contexts.
| Function | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Provisioning | IAM Team | CISO | AI Governance, Application Owner | Compliance, Audit |
| Ownership Designation | Application Owner | AI Governance | IAM, Risk | CISO, Compliance |
| Access Reviews | IAM Team | CISO | Application Owner, AI Governance | Audit |
| Behavioral Monitoring | AI Governance | AI Governance | SOC, IAM | CISO, Risk |
| Kill Switches | SOC + IAM | CISO | AI Governance, Application Owner | Legal, Communications |
| Deprovisioning | IAM Team | Application Owner | AI Governance | Audit |
| Audit | Internal Audit | CISO | IAM, AI Governance, Application Owner | Board Risk Committee |
Provisioning
Provisioning creates the agent identity, issues credentials, and registers the agent in the identity directory. The IAM team is responsible because the team owns the directory infrastructure and the credential lifecycle. The CISO is accountable because the function carries security risk if mishandled. AI governance is consulted on policy alignment; the application owner is consulted on the operational requirements. Compliance and audit are informed for traceability.
The common failure pattern is provisioning without consultation. The application team stands up an agent, generates an API key, and uses it to authenticate. The IAM team has no record of the agent. The directory has no record. Access reviews cannot find the agent. The agent operates outside the governance perimeter. The fix is policy: no agent runs without an identity-team-issued credential and a directory entry.
Ownership Designation
Every agent must have a named human owner. The owner is the person accountable for the agent’s behavior, the agent’s continued operation, and the agent’s eventual retirement. Application owners are responsible for designating ownership; AI governance is accountable for ensuring every agent has an owner. IAM and risk are consulted on the designation process. The CISO and compliance are informed.
The common failure pattern is orphan agents. An employee who built or deployed an agent leaves the company. The agent continues to run. No one is named as the new owner. The agent operates without a human accountable for its behavior. The fix is automatic re-assignment on departure: when an owner’s employment ends, the agent’s owner reverts to a default (the application owner, the security operations center, or a designated AI governance lead) until an active human is named.
Access Reviews
Access reviews verify that the agent’s entitlements remain appropriate. The IAM team is responsible because the team runs the review platform; the CISO is accountable. The application owner and AI governance are consulted on whether the entitlements remain appropriate to the use case. Audit is informed.
The common failure pattern is treating agent reviews like human reviews. Quarterly cadence is too slow for autonomous agents whose tooling and scope evolve continuously. The fix is event-driven review: an entitlement change to an agent triggers a review within seven days; a quarterly cadence covers entitlement-stable agents only.
Behavioral Monitoring
Behavioral monitoring observes what the agent does over time and flags deviations from expected behavior. AI governance is responsible and accountable because the function requires AI-specific telemetry, which the IAM team’s tooling does not produce. The security operations center and IAM are consulted; the CISO and risk are informed.
The common failure pattern is using IAM logs as a substitute for behavioral monitoring. IAM logs show authentication events, not agent decisions. An agent that authenticates correctly and then takes an unexpected action produces no IAM signal but produces a behavioral anomaly. The fix is purpose-built agent behavioral monitoring that captures action patterns, tool invocations, and decision boundaries.
Kill Switches
Kill switches are the operational ability to disable an agent immediately. Both the security operations center and the IAM team are responsible because the kill switch operates through both channels: the SOC initiates, IAM revokes credentials, the application owner removes runtime access. The CISO is accountable. AI governance and the application owner are consulted on when to invoke. Legal and communications are informed in case the kill produces business impact.
The common failure pattern is the absent kill switch. An agent is deployed without a documented mechanism to disable it. When the agent misbehaves, the response involves changing API keys at the source system, removing service-principal grants, and waiting for the agent to fail. The fix is a documented and tested kill switch for every agent at deployment time.
Deprovisioning
Deprovisioning retires the agent identity, revokes credentials, removes directory entries, and terminates active sessions. The IAM team is responsible because the team owns the lifecycle. The application owner is accountable because the application team initiates the request. AI governance is consulted on whether the retirement is complete. Audit is informed.
The common failure pattern is partial deprovisioning. Credentials are revoked but the directory entry remains. The directory entry is removed but a service-principal grant remains in a downstream system. The fix is a deprovisioning checklist that explicitly enumerates every system the agent had access to and confirms removal in each.
Audit
Audit verifies that the other six functions are operating effectively. Internal audit is responsible; the CISO is accountable for remediation of findings. IAM, AI governance, and application owners are consulted on findings and remediation. The board risk committee is informed of significant findings.
The common failure pattern is audit without specific agent-identity scope. The audit covers identity broadly and treats agents as a footnote. The fix is an annual agent-identity audit with explicit scope and a separate report.
The Four Cross-Team Escalation Paths
Four scenarios produce genuine ownership ambiguity that the RACI alone does not resolve. Each requires a documented escalation path between the IAM and AI governance teams.
Scenario one is the agent that requests new entitlements during operation. The agent encounters a goal it cannot achieve with current entitlements and requests additional access. The IAM team can grant the access; the AI governance team has the policy view on whether the goal warrants the access. The escalation path: agent self-request goes to the application owner for technical approval, then to AI governance for policy approval, then to IAM for issuance. No single team unilaterally grants the access.
Scenario two is the cross-system agent. An agent operates across multiple business domains (sales, finance, operations) and produces actions in each. Application ownership is split across teams. The escalation path: a designated AI governance lead serves as the cross-system owner; the per-system application owners coordinate through the AI governance lead; the IAM team treats the AI governance lead as the system of record for ownership.
Scenario three is the agent invoking other agents. Agent-to-agent invocation creates a chain of authority where the calling agent’s permissions effectively expand through the called agent. The escalation path: agent invocation chains require explicit registration before deployment; AI governance approves the chain pattern; IAM tracks the effective permissions across the chain.
Scenario four is the third-party agent integration. An external service-as-a-service or partner integration deploys an agent into the enterprise environment. Ownership is shared between the third-party vendor and the internal application owner. The escalation path: third-party agents are subject to the same RACI as internal agents; the internal application owner is accountable; the vendor is responsible for the agent’s behavior under contract; the IAM team treats the vendor’s access as a vendor-managed service principal.
The 60-Day Implementation Plan
For an organization that has deployed agents without an enterprise RACI, the 60-day implementation plan establishes the framework without disrupting operations.
Days 1 through 10: Inventory. Produce the agent inventory. Every agent in production, every agent in development, every agent in pilot. Capture the application owner, the named human owner, the entitlements, and the systems accessed. The inventory is the prerequisite for everything that follows.
Days 11 through 20: RACI Adoption. Adopt the seven-function RACI as the enterprise default. Adapt to organizational structure where necessary, but preserve the structural assignments. Communicate the RACI to IAM, AI governance, application owners, the SOC, and internal audit.
Days 21 through 35: Gap Closure. For each agent in the inventory, identify which RACI functions are missing. Provisioning gaps (no IAM-issued credential), ownership gaps (no named human owner), monitoring gaps (no behavioral telemetry), kill-switch gaps (no documented mechanism). Close the gaps in priority order: kill switches first, ownership second, provisioning third, monitoring fourth.
Days 36 through 50: Escalation Path Documentation. Document the four cross-team escalation paths with named individuals at each step. The paths are useless without specific names; the escalation works because the people involved know in advance that they are involved.
Days 51 through 60: Audit Engagement. Engage internal audit to plan the agent-identity audit. The audit’s scope, methodology, and reporting line are agreed during this window so the first audit cycle can begin in the following quarter.
Frequently Asked Questions
Should the IAM team or the AI governance team own this?
Neither owns the function exclusively. The IAM team owns the identity lifecycle (provisioning, deprovisioning, access reviews); the AI governance team owns the behavioral domain (ownership designation, behavioral monitoring). The CISO is accountable for the joint function. Ad hoc ownership produces gaps that the RACI is designed to close.
How does this differ from non-human identity (NHI) governance?
Non-human identity governance covers service accounts, machine identities, and traditional automation. AI agent identity is a subset of NHI but with distinct characteristics: dynamic behavior, delegated authority, and goal-directed action. The RACI here is specific to agents because the seven functions matter differently for agents than for traditional NHIs.
What tooling supports the RACI?
Identity governance and administration platforms (SailPoint, Saviynt, Okta) cover provisioning, access reviews, and deprovisioning. Specialized agent identity platforms (emerging, with vendors including Strata and others) cover ownership designation and cross-system tracking. AI behavioral monitoring requires AI-specific tooling. Kill switches and audit are typically operational rather than tooled.
How often should the RACI be reviewed?
Annually at minimum. The agent landscape evolves quickly; agent capabilities expand and new use cases emerge. Material changes (a new vendor, a new agent class, an organizational restructuring) trigger an interim review.
Who briefs the board on agent identity?
The CISO briefs the board on the agent identity posture. The brief should cover inventory size, RACI adoption status, audit findings, and remediation status. Board fluency on agent identity rises rapidly through 2026; CISOs who present a coherent posture establish credibility, and CISOs who present an ad hoc posture invite scrutiny.
What is the minimum viable agent identity program?
Inventory, ownership designation, kill switches, and deprovisioning. These four functions are the floor below which agent operations are unsafe. Provisioning, access reviews, behavioral monitoring, and audit follow as the program matures.
The verdict. Agent identity governance is the function that exists between two teams that were not designed to share it. The structural problem produces the data problem: 91 percent agent deployment, 23 percent enterprise ownership strategy [ConductorOne 2026 Future of Identity Report]. The fix is not new tooling or new headcount. The fix is a documented RACI that names the seven functions, assigns them to the teams that already exist, and establishes the four escalation paths for the scenarios where ownership is genuinely shared. The CISO who walks into the board meeting with the seven-function RACI in hand has answered the accountability question before it is asked. The CISO who walks in without it is answering the question after the incident.
