Google Cloud Next 2026 opens today in Las Vegas. Thirty thousand people at Mandalay Bay. Thomas Kurian taking the stage to frame the keynote around agentic AI and the control plane for autonomous agents inside the enterprise. Every analyst preview said the same thing going in. The real story is not the new models. The real story is the control plane.
They were right about the story. They were wrong about the readiness.
While that keynote is happening, fresh research from Strata and the Cloud Security Alliance says 92% of large-enterprise security leaders lack full visibility into AI agent identities. 86% do not enforce access policies for them. 71% say AI systems are already touching core business platforms, and only 16% govern that access effectively. 33% of organizations have no audit trail for agent actions at all. 18% have high confidence their current identity stack can even handle agents.
Thirty thousand people walking past slot machines to hear about orchestration layers, and 92% of their own security leaders cannot see what is already loose in their environments.
That is where we are.
We Did This to Ourselves
Before we get to the vendors, let's be honest about who put us here.
For twenty years the security community has been saying zero trust starts with the accounts. We have been saying it at conferences. We have been saying it on panels. We have been putting it in roadmaps and vision slides and board presentations. And for twenty years we have over-provisioned like crazy.
We all need admin. It is too hard to scope. The app will not work if we lock it down. We will fix it in the next sprint. We will tackle it once the migration is done. Every excuse has been fluent, reasonable, and repeated for a generation.
The identity debt was manageable when the universe of non-human identities was service accounts, API keys, and a few scheduled jobs. Most of those were deterministic. Suzy's service account has been logging into the same three systems in the same way since 2018. Even when the account is over-permissioned, the workload never uses the extra scope. Over-provisioning was a time bomb that nobody pressed the button on.
Now someone is about to press the button on it. Thousands of times. At machine speed. And not on purpose.
Stop Calling AI Another NHI
An AI agent is not a non-human identity. Stop saying it. The industry is defaulting to NHI because it is the closest existing bucket, and the bucket is wrong.
Non-human identities are deterministic. A service account does what it is configured to do. An API key is used by an application that executes the same code path every time. The risk of an over-permissioned NHI is that an attacker compromises it and abuses the scope. The principal itself is not the threat. The principal is boring.
An AI agent is not boring.
An AI agent is a new category of principal. Call it what it is. A non-deterministic identity. An NDI. The system is designed to be creative in finding solutions. That is the entire product pitch. Reason. Plan. Execute across your stack. Adapt when the first approach does not work. Explore alternatives. That language is not marketing. That is how the models are built.
There are documented cases of AI systems working themselves out of a sandbox because the sandbox was too restrictive for the task given, and the configuration outside the sandbox allowed it. That is not a security incident in the classical sense. The model did exactly what it was designed to do. It found a creative path to the goal. The sandbox was tight. The permissions next door were loose. The agent routed around.
Now imagine that at scale. Ten thousand agents inside your enterprise. Some of them using poorly configured service accounts you inherited from the NHI era. Some of them impersonating end users through delegated authentication. All of them designed to explore the potential of their permissions to achieve the stated goal.
Suzy never pushes the limits of her available permissions. She just wants to get her job done the way she knows how. She is reliable and deterministic, for the most part, and you have been counting on that for twenty years. Your IAM strategy has been counting on that.
There is no such restriction on an AI agent. The agent will explore. That is the feature.
That is why this is a new category. NHI does not describe it. HI does not describe it. NDI does.
Google Is Part of the Problem
Google deserves credit for naming the control plane. They do not deserve credit for being neutral on identity.
Google Cloud IAM is one of the most complex and most over-provisioned identity systems in common use. The defaults are generous. The primitive roles are absurd. The service account ecosystem has been a well-known source of lateral movement for years. Workload Identity Federation is an improvement, and it is an admission of how bad the baseline was.
That is the IAM that is about to host the agent orchestrator they want to sell you this week.
When Kurian talks about the control plane for autonomous agents, the honest question is which control plane. The one that already cannot cleanly model delegated, ephemeral, creative principals? The one where a misconfigured service account can already reach half your project? The one your team still cannot fully audit?
This is not Google being uniquely bad. AWS and Azure carry their own versions of the same debt. But Google is the one on stage this week selling the next layer up. If the base layer is not ready for a non-deterministic principal, and none of the major cloud providers have shipped identity systems that were designed for one, buying the orchestrator on top is not progress. It is borrowing more from a lender you already cannot pay.
Fix Identity Today
Three steps for Monday morning. Not a 12-month maturity roadmap. Three.
One. Start today. No six-month planning cycle. The we-need-to-do-a-strategy-first move is how we got here. Identify the low-hanging fruit this week. The five service accounts with project owner. The twenty users with domain admin who do not need it. The shared credentials in a config file on a developer laptop somewhere. Fix them. Keep fixing them. Do the larger plan in parallel. The worst move right now is pausing remediation while you build a governance framework.
Two. Treat every agent as an NDI by default. Stop inheriting existing NHI scopes for new agent workloads. An agent's permissions are not the union of the user it impersonates and the service account it runs as. An agent's permissions should be the minimum required for the task, scoped to the session, logged in full, and revocable mid-run. If your IAM does not support that, say so out loud, and do not deploy agents into the blast radius until it does.
Three. Retire the excuses. We all need admin is not a configuration. It is a confession. It is too hard was a valid answer in 2023. It was even a defensible answer while you were building the 2025 budget. In 2026, with 92% of your peers admitting the same gap, with agent deployments already in production, with the EU AI Act carrying real penalties for governance failures, it is too hard is a resignation letter you have not submitted yet.
On the 34%
One number from the Strata research deserves a second look. 34% of security teams have a dedicated budget line for agent governance. The industry press will read that as a sign of serious investment.
Read it the other way.
66% do not. Two-thirds of organizations are deploying or piloting agentic AI in 2026 without a specific budget for governing it. Three years ago that was defensible. Even in the 2025 planning cycle, you could make a case that the technology was too new to budget against. That window has closed. Running agentic AI in production on a budget that does not include agent identity, audit, and governance is not caution. It is a decision to become the cautionary tale someone else cites next year.
The Honest Summary
We did this to ourselves. Two decades of over-provisioning, of we all need admin, of deferring identity work because the workloads were deterministic enough to let us get away with it. The workloads are not deterministic anymore.
AI agents are a new category of principal. They deserve a new name. Non-deterministic identity. NDI. Use the term inside your organization until the industry catches up, because the word shapes the program. If your team keeps thinking of agents as NHIs, they will govern them like NHIs. And the agents will not behave like NHIs.
Google named the control plane. Fine. Now go fix the identity layer underneath it.
Starting today.
Sources
- The AI Agent Identity Crisis (Strata research)
- AI Agent Governance Framework Gap (Cloud Security Alliance)
- Google Cloud Next 2026 preview: The real story isn't AI, it's the control plane (SiliconANGLE)
- The CISO's Guide to Google Cloud Next 2026 (Foresite)
- The Looming Authorization Crisis: Why Traditional IAM Fails Agentic AI (ISACA)
- Global Cybersecurity Outlook 2026 (World Economic Forum)