AI agents already operate in hospitals and factories, but corporate identity governance was never designed for them
AI agents are already inside the hospitals, factories, and data centers of the world’s largest companies.
And this is no longer a promise about the future — it’s the present happening right now, in real time, with direct impact on critical decisions that affect lives and entire operations.
But there’s a problem that most conversations about corporate AI are still ignoring, and it has nothing to do with model capabilities or available computing power.
The real bottleneck is identity governance.
You know that corporate identity management system your company uses to control who accesses what? It was built with humans in mind. Logins, passwords, role-based permissions, periodic access reviews — all designed for a world where the identities on the network were real people with first and last names.
Now picture a medical transcription agent that automatically updates electronic health records while the doctor sees a patient, or a computer vision agent inspecting parts on an industrial production line at speeds no human could ever keep up with. Both of these scenarios are happening today, and both generate non-human identities that traditional corporate infrastructure simply cannot track, scope, or revoke at the speed the situation demands. 🤖
The numbers confirm just how big the problem is. According to data presented by Cisco president Jeetu Patel at RSAC 2026, 85% of companies are testing AI agents in pilot projects, but only 5% have actually made it to production. That 80-percentage-point gap doesn’t exist because of a lack of technology. It exists because of a lack of trust — and trust, in this context, starts with identity.
Below, we’re going to break down why this problem is structural, what experts like Michael Dickman, SVP and GM of Cisco’s Campus Networking division, are proposing as a solution, and what the real conditions are for companies to move their agents from pilot to production without opening up critical security gaps along the way. 👇
Why traditional identity infrastructure wasn’t built for AI agents
For decades, the corporate identity governance model worked well because the universe of identities was relatively predictable. An employee joined the company, received their credentials, had permissions adjusted based on their role, and periodically went through access reviews. When they left, credentials were revoked. Simple, auditable, and human. The problem is that AI agents don’t fit into any of these steps the way they were originally conceived — and this incompatibility is becoming one of the main blockers for enterprise-scale AI adoption.
An AI agent can be spun up in seconds, operate autonomously for hours or days, make chained decisions without human intervention, and depending on the architecture, communicate with other agents or external systems in a completely asynchronous way. No identity management system designed for humans was built to handle this kind of behavior. The absence of a structured identity lifecycle for non-human entities creates gaps ranging from the difficulty of tracking what an agent accessed to the impossibility of revoking permissions in a granular and immediate way when something goes wrong.
Recent research backs up this diagnosis. IANS Research found that most companies still don’t have role-based access control mature enough even for their current human identities — and AI agents are going to make that landscape significantly harder. At the same time, the IBM X-Force Threat Intelligence Index for 2026 recorded a 44% increase in attacks exploiting public-facing applications, driven precisely by missing authentication controls and AI-powered vulnerability discovery. These data points show that the problem isn’t theoretical — the gaps are already being actively exploited.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
Michael Dickman was pretty direct when presenting this diagnosis at RSAC 2026. In his view, the rise of AI agents in the corporate environment requires a complete rethink of how companies approach identity — not as an incremental adjustment to existing systems, but as a structural overhaul that treats non-human entities as first-class citizens within the corporate security fabric. Without that, every new agent deployed to production represents a potential attack surface that security teams simply cannot monitor with the tools they have today.
Trust can’t be a bolt-on upgrade
One of the most important points Dickman made in his exclusive conversation with VentureBeat is that agentic AI breaks a pattern he’s seen in every previous technology transition: productivity comes first, security comes later. In his view, with autonomous agents, that order simply doesn’t work anymore.
Dickman stated that trust is not something where business productivity comes first and security is an afterthought. Trust is actually one of the key requirements. It’s table stakes from the very beginning.
This difference becomes especially clear when you compare agents that just observe data and recommend decisions with agents that actually take action. When an agent autonomously updates patient records, adjusts network configurations, or processes financial transactions, the blast radius of a compromised identity expands dramatically. We’re no longer talking about an alert that someone will review later. We’re talking about concrete actions with real-world consequences happening at machine speed.
And that’s exactly why Dickman breaks the trust problem down into four fundamental conditions that any company needs to consider before moving agents into production:
- Secure delegation: precisely defining what each agent can do and maintaining a clear chain of human accountability. Every agent needs a human owner who is responsible for its behavior.
- Cultural readiness: organizations need to rethink their workflows. Dickman used alert fatigue as a case study — the traditional solution was to aggregate alerts so analysts saw fewer items. With agents capable of evaluating each alert individually, the logic changes completely, and the work culture needs to keep pace with that shift.
- Token economics: every action an agent takes has a real computational cost. The answer, according to Dickman, is hybrid architectures where agentic AI handles the reasoning while traditional deterministic tools execute the actions — combining the intelligence of foundation models with the efficiency and predictability of conventional software.
- Human judgment: Dickman shared a hands-on example where his team used an AI tool to draft a product requirements document. The agent produced 60 pages of repetitive content that, despite showing technical responsiveness, clearly needed extensive fine-tuning to be relevant. There is no substitute for human judgment and the skill required to work with AI effectively, he emphasized.
What the network sees that endpoints can’t
There’s a layer of information that frequently stays invisible in corporate monitoring systems, and Dickman considers it fundamental to any agent governance strategy: network telemetry.
Most corporate data today is proprietary, internal, and fragmented across observability tools, application platforms, and security stacks. Each domain team builds its own view. None of them see the full picture.
Dickman explained that the crucial difference is between knowing and guessing. What the network can see are the actual data communications between systems. It’s not an assumption that one system needs to talk to another — it’s which systems are actually communicating. That raw behavioral data becomes the foundation for cross-domain correlation, and without it, organizations have no reliable way to enforce policies for agents at what he calls machine speed.
This telemetry becomes even more valuable as IoT and AI applied to the physical world proliferate. Computer vision agents analyzing consumer behavior in stores or running quality control on production lines generate highly sensitive data that demands precise access controls.
Dickman reinforced that all of these applications require the trust we’ve been talking about from the start, because we’re dealing with extremely sensitive data about who is doing what inside a store or what’s happening on the factory floor.
Microsegmentation and privileged access as pillars of the new architecture
If identity governance is the core problem, microsegmentation and privileged access control are among the most consistent answers emerging in the technical debate. The idea behind microsegmentation is relatively straightforward: instead of granting an AI agent access to broad segments of the corporate network, you define extremely granular perimeters around each agent, limiting exactly which resources it can access, which other systems it can communicate with, and under what conditions that access is allowed. It’s the principle of least privilege applied far more precisely than traditional user-profile-based controls.
Dickman was emphatic in describing microsegmentation as a least-privilege access guarantee implemented at the network layer — not dependent on host-based agents that can be bypassed or run into other issues.
Privileged access control comes in as a complementary layer, especially in cases where the agent needs to operate on sensitive data or execute actions with systemic impact — like updating a healthcare database, moving financial files, or triggering automated processes in critical infrastructure. In these scenarios, the agent can’t simply hold an API key with permanent permissions. What’s needed is a temporary, auditable, and real-time-revocable access model where each privileged session is treated as an isolated event that must be logged, justified, and monitored end to end. This represents a significant shift from the current model, where tokens and service credentials tend to have long lifespans and broad scope.
The combination of these two approaches — microsegmentation with well-managed privileged access — starts to create what experts are calling an identity mesh for AI agents. An architecture where each agent has a unique, trackable identity with a defined scope and documented expected behavior. When an agent deviates from that expected behavior — whether by accessing a resource outside its perimeter or establishing an unauthorized communication with another system — the environment can detect, alert, and respond proportionally.
Dickman anchored this framework in a real-life scenario. A family member of his recently broke their ankle, which brought him to an exam room where he watched a medical transcription agent updating the electronic health record, suggesting prescription options, and pulling up the patient’s history in real time. The doctor approved each decision, but the agent was executing tasks that previously required manual input across multiple systems. The security implications hit differently when it’s the records of someone you love on the screen.
Cross-domain visibility: the challenge nobody wants to admit
There’s an aspect of this problem that gets far less attention than it deserves, and in practice it might be the hardest to solve: cross-domain visibility. When an AI agent operates within a single system in a single corporate domain, the monitoring challenge is already significant. But the scenario that’s becoming increasingly common is far more complex than that. Modern AI agents frequently need to communicate with external services, access third-party APIs, integrate data from sources outside the company’s perimeter, and in more advanced architectures, collaborate with other agents that may be running on entirely different infrastructure.
Dickman explained that it’s not just about aggregation — it’s about creating knowledge from the network. There are new insights that emerge when you observe actual data communications. And from there, the question becomes what to do first, second, and third. In other words, the strategic challenge isn’t capability — it’s sequencing.
He also highlighted where the most common trap lies. Team A builds Agent A on top of Data A. Team B builds Agent B on top of Data B. Each silo produces incrementally useful automation. But the cross-domain insight never materializes.
Independent practitioners validate this pattern. Kayne McGladrey, a senior member of IEEE, observed that organizations are defaulting to cloning human user profiles for agents — and that uncontrolled permission sprawl starts on day one. Carter Rees, VP of AI at Reputation, identified the structural reason: a significant vulnerability in enterprise AI is broken access control, where an LLM’s flat authorization plane fails to respect user-level permissions. Etay Maor, VP of Threat Intelligence at Cato Networks, reached the same conclusion from the adversarial side: we need an HR view for agents, with onboarding, monitoring, and offboarding.
In this context, cross-domain visibility stops being a nice-to-have and becomes a non-negotiable security requirement. If the security team can’t track what an agent does when it crosses the corporate domain boundary, it’s impossible to guarantee that data is being handled according to company policies, that interactions with external systems are legitimate, or that a compromised agent isn’t exfiltrating information through a chain of seemingly harmless calls. This cross-domain blind spot is one of the most underestimated risk vectors in the discussion around AI agents in the enterprise — and any governance strategy that ignores this point is incomplete by definition.
Cisco has been investing in solutions that aim to address exactly this gap, proposing a model where the agent’s identity is portable across domains in a secure way and where access and audit policies follow the agent regardless of where it’s operating. It’s an ambitious model that involves protocol standardization, cross-vendor cooperation, and a shift in how companies negotiate trust with external partners. The road is long, but the direction is becoming clearer as real-world use cases keep revealing where visibility gaps create concrete risks.
Five priorities before agents hit production
Based on the framework Dickman presented, there are five priority actions that any organization looking to move AI agents from pilot to production needs to consider:
1. Force cross-functional alignment now. Define what the organization expects from agentic AI by involving business line leaders, IT, and security. Dickman notes that the human coordination layer moves more slowly than the technology — and that gap is the real bottleneck.
2. Get IAM and PAM ready for agents in production. Dickman specifically pointed out that identity and access management and privileged access management systems are not mature enough for agentic workloads today. Governance needs to be solid before scaling agents. This becomes the trust unlock, he said. Because when the technology platform is ready, you need the right governance and policy on top of it.
3. Take a platform approach to network infrastructure. A platform strategy enables cross-domain data sharing in ways that fragmented point solutions simply can’t. That shared foundation is what makes cross-domain correlation operationally real.
4. Design hybrid architectures from the start. Agentic AI handles reasoning and planning. Traditional deterministic tools execute the actions. Dickman sees this combination as the answer to token economics — delivering the intelligence of foundation models with the efficiency and predictability of conventional software. Don’t build purely agent-based systems when hybrid systems cost less and fail more predictably.
5. Make your first use cases a trust benchmark. Pick two or three high-value cases and build them with role-based access control, privileged access management, and microsegmentation from day one. Even modest deployments delivered with best practices intact build the organizational trust that accelerates everything that comes after. 🚀
What separates the 5% that made it to production from the 85% still stuck in pilot
Going back to Cisco’s data point matters because it reveals something that goes beyond the technical question. The 85% of companies still in the pilot phase with their AI agents aren’t stuck because of a lack of interesting use cases or insufficiently capable models. What stalls progress, in practice, are questions that security and compliance teams can’t answer with the tools and processes available to them today: who is this agent on our network? What can it access? How do we know if it’s behaving the way it should? And what happens if it isn’t?
The companies that have reached the 5% in real production generally share a few characteristics. They treated identity governance for agents as a separate, priority project — not as an appendage of the AI initiative. They invested in microsegmentation before expanding agent scope, making sure every new deployed agent operated within a well-defined perimeter from day one. And they established continuous audit processes that allow them to identify behavioral deviations in real time, rather than relying on periodic reviews that no longer make sense at the speed agents operate.
Dickman summed up this logic pretty directly: do the governance carefully, but do the application and implementation fast. It has to be done at machine speed.
These elements — structured identity, microsegmentation, privileged access control, and cross-domain visibility — form the minimum set of conditions that seems to separate implementations that can scale securely from those that stay stuck in pilot indefinitely. It’s not an exhaustive list, and every industry has its own specifics, but it’s a far more concrete starting point than the generic conversations about AI trust that dominate most corporate debates today. 🔐
The advance of AI agents in the enterprise is going to keep happening, with or without proper governance. The difference is that without it, every new deployment adds risk without adding control — and the accumulation of unmonitored risks in critical systems tends to show up at the most inconvenient moments. Companies that understand this early have a real window to build a competitive advantage that goes well beyond the technology itself, because operational trust at scale is exactly the kind of asset that takes time to build and is very hard to copy.
As Dickman put it: you can guarantee that trust for the organization, and that will unlock speed. Because every new agent inherits the trust architecture that the first ones required. Meanwhile, organizations still debating whether they should get started will watch that gap grow wider. Theoretical trust doesn’t ship to production.
