AI Agents Outpace Identity Governance, Creating 'Dark Matter' Inside Enterprises

Enterprises are deploying AI agents faster than their identity and access management systems can govern them, according to Gartner’s inaugural Market Guide for Guardian Agents. The structural problem is that legacy IAM was built for humans who log in and out, while AI agents run continuously across multiple applications, accumulate permissions opportunistically, and act at machine speed. Orchid Security estimates roughly half of enterprise identity activity already happens outside centralized IAM visibility — what it calls ‘identity dark matter’ — because controls and accounts often live inside the applications themselves rather than in a central directory.

Orchid’s pitch is to close the gap by inspecting authentication and authorization logic directly inside applications via binary analysis and dynamic instrumentation, rather than only watching login events at the perimeter. Its ‘Ask Orchid’ agent answers natural-language questions security teams cannot currently answer with their existing tooling: which AI agents are actually running, how the estate maps against NIST CSF 1.1 and 2.0 controls at the application level, and where unrotated static credentials and forgotten service accounts pose the highest risk.

The broader point — beyond the vendor framing — is that AI agents are now first-class non-human identities that need attribution back to a human owner, a recorded chain of custody from agent to tool to target, and continuously re-evaluated, context-aware guardrails. Without that, agents become a high-value attack surface that inherits broad permissions and operates beneath the visibility of traditional IAM.