As artificial intelligence permeates workplaces across Asia and globally in 2026, identity and access management (IAM) is no longer a static perimeter defence but a dynamic, intelligent control plane.
The proliferation of AI agents, machine identities and autonomous workflows has forced organisations to rethink how they govern, verify and protect access.
Analyst reports confirm this shift: Gartner’s February 2026 analysis highlights that “agentic AI demands cybersecurity oversight,” noting the rapid adoption of AI agents creates new attack surfaces through unmanaged proliferation and unsecured code.
Similarly, industry observers point to an “explosion” of non-human identities (NHIs), with AI agents, bots and service accounts already outnumbering human accounts in many environments.
Visibility into the AI identity explosion
Organisations in Asia are deploying AI agents at unprecedented scale, yet many lack basic oversight.
Johan Fantenberg, director at Ping Identity, stresses foundational discipline: “As organisations deploy AI agents at scale, it’s critical to first take stock of the machine, workload, and agent identities already operating within the environment. This includes what they have access to, who owns or deploys them, and the permissions and entitlements associated with them. Visibility is key.”
He adds that runtime insight, auditable logs and clarity on delegation—supported by standards like MCP and OAuth 2.0—are non-negotiable.
This perspective aligns with 2026 realities. NHIs, including AI agents, now frequently outnumber human accounts by ratios exceeding 100:1, with some reports citing 144:1. Paul Hanagan, CTO of Conscia UK, notes that non-human identities “are rising significantly, and in most enterprises they already outnumber human users by around three to one.”
Experts at Clarity Security warn that unmanaged AI bots and third-party identities represent common attack vectors, demanding discovery and governance as a priority.
From static checks to continuous verification
Traditional IAM, centred on single sign-on (SSO) and multi-factor authentication (MFA), was built for human-paced interactions. In the agentic era, point-in-time authentication fails.
Fantenberg explains: “Many identity platforms are still primarily focused on SSO and MFA, which were designed for a different era. These systems now need to evolve to support continuous verification, not just for human users but also for non-human identities (NHIs) such as workloads, services, and AI agents.” Point-in-time checks decay quickly amid changing contexts.
Gartner’s 2026 Predicts for IAM emphasise that human and machine identities have become the primary attack surface, urging leaders to enhance visibility and intelligence for real-time decision-making. Optimal IdM’s analysis of 2026 trends describe Zero Trust maturing into continuous, context-aware verification with dynamic privilege adjustments based on real-time risk.
Combating AI-powered fraud and deepfakes
Asia has witnessed a 200%+ surge in AI-driven fraud and deepfake attacks. Fantenberg advocates strengthening controls at high-risk points: “Strong identity verification is also vital at high-risk touchpoints such as account recovery… Modern verification should combine robust identity proofing, passive liveness detection, and ongoing user education.”
Supporting this, observers reports that agentic AI is reshaping IAM strategies, with buyers prioritising phishing-resistant methods to counter credential abuse and impersonation. Saviynt’s 2026 Identity Security Trends & Predictions highlight that bad actors are increasingly targeting AI identities, making identity the central strategy for cybersecurity.
Governance in the shadow of AI adoption
Rushed AI deployments often bypass governance. Fantenberg urges collaborative policy-making: “Many organisations are developing policies to guide AI adoption. However, the reality of shadow AI means these policies are most effective when created collaboratively across the business… Security, risk, IT, lines of business, and the board all need to be actively involved.”
AI agents require real-time lifecycle management mirroring human JML processes: “AI agents may exist for only seconds, or less, but during that brief window the appropriate identity controls, policies, and governance must still be applied and evaluated in real time.”
Forrester’s Predictions 2026 stress that governance gaps could lead to agentic AI breaches, recommending MCP for secure collaboration and human capital management platforms to treat digital employees as part of the workforce. AI raises new governance questions, urging organisations to treat IAM as a holistic practice rather than isolated products.
The identity fabric across clouds
Hybrid and multi-cloud environments exacerbate identity sprawl. Fantenberg advocates a unified approach: “An identity fabric needs to be unified so that the identity controls and governance can be applied across deployment topologies and architectures. The identity fabric needs to become the unified control plane for all your identity types.”
Practical steps include provisioning across on-premise and SaaS, full IGA reach and single-pane visibility. He adds: “Creating an identity fabric doesn’t need to be a rip and replace project… adding identity fraud detection (e.g., bot detection) can be done without having to replace an existing access management solution.”
Identity fabric addresses sprawl through cloud-native orchestration, enabling SSO, MFA and governance in one platform. Gartner recommends modernising identity governance and extending controls into AI deployments to scale adoption safely.
The passwordless push
Phishing-resistant authentication is accelerating. Fantenberg reports positive momentum: “Yes, we are seeing a growing adoption of phishing-resistant authentication methods such as passkeys and biometrics.”
He says these approaches significantly strengthen security while also delivering a far better user experience.
“In mobile-first regions like Asia, we can expect rapid uptake of hardware-backed authentication methods, including passkeys, cryptographically bound devices, verifiable credentials, and digital identity wallets.” Johan Fanterberg
By 2026, passwordless is mainstream, driven by AI-amplified phishing and the superior user experience of biometrics and passkeys. Privacy-preserving biometrics with server-side protections are particularly valued for account recovery and human-in-the-loop approvals in e-commerce.
First-class identities in the Fabric
Agentic AI—autonomous agents acting independently—requires treating machines as equals to humans in the identity ecosystem. Fantenberg notes: “We are still in the early stages of agentic AI, with frameworks and protocols such as MCP, A2A, and AP2 continuing to emerge.”
He acknowledges that many organisations have already deployed agents in customer-facing roles, like support chatbots, as well as within back-office operations, though the identity controls governing these systems are often still basic or proprietary.
“AI agents and their identities must be treated as first-class identities within the enterprise identity fabric, governed and managed alongside customer, citizen, workforce, and partner identities.” Johan Fantenberg
Emerging standards like MCP and OAuth 2.0 provide the foundation, while governance frameworks ensure integration with enterprise policies. This mirrors Gartner’s call for robust controls on AI agents and aligns with predictions that agentic AI will reshape IAM governance entirely in 2026. Astrix echoes the need for discovery and governance of shadow AI agents.
Dynamic friction in real-time
Organisations are moving beyond static rules. Fantenberg confirms capability exists: “Absolutely, many organisations have modern identity fabrics deployed and augmenting them to integrate with providers of real-time risk signals can be straightforward… The trick is to analyse a large number of signals in real-time as well as adjust policies dynamically. Leveraging AI can help here.”
This is supported by broader trends towards AI-driven adaptive access, as noted in IDMworks’ 2026 analysis, where machine learning enables real-time threat countering.
Ecosystem collaboration, including shared signals frameworks from the OpenID Foundation, is accelerating, particularly among financial services and telcos in Asia.
Third-party and supply-chain risks
B2B identities often lag in governance. Fantenberg observes: “Enterprises are increasingly recognising that their B2B identity environments can represent a significant risk… Strengthening governance for B2B identities allows organisations to apply appropriate security measures across business and supply chain partner access.” Robust verification and biometrics are eliminating shared accounts and enhancing accountability.
Gravitee’s State of AI Agent Security 2026 Report highlight that only 14.4% of AI agents deploy with full security approval, amplifying supply-chain vulnerabilities.
Coaching AI agents: The human touch
Securing AI demands skilled human oversight. Fantenberg likens it to training employees: “AI agents will need close supervision, particularly in the early stages as they learn the business—much like coaching a human trainee… Human supervisors also need secure ways to refine and improve agent behaviour through human-in-the-loop (HITL), retrieval-augmented generation (RAG), and reinforcement learning from human feedback (RLHF) processes.”
Strong identity controls around data, models and interventions ensure explainability, auditability and trust. Gartner’s Alex Michaels reinforces this: “To realise the full potential of AI in security operations, cybersecurity leaders must prioritise people as much as technology,” advocating human-in-the-loop frameworks.
All this suggests that 2026 is the year IAM evolves from gatekeeper to enabler in the AI workplace. As Fantenberg’s insights illustrate, success lies in visibility, continuous verification, unified fabrics, passwordless methods and treating AI agents as first-class citizens.
Organisations embracing these practices—backed by standards, collaboration and human-centric governance—will not only mitigate risks but unlock the full potential of agentic AI. identity is the new battleground, and proactive, intelligent IAM is the winning strategy.
