However, said Randall, “this framing overlooks that these identities are operationally different. While both authenticate and authorize, the tooling, telemetry, RACI, and risk models differ. A single ‘identity plane’ may be the goal conceptually, but practically, it’s hard to implement across those divergent ecosystems.”
The second element is, he said, “the stark claim that non-human identities now outnumber human users by around 82:1. As organizations start developing more AI agents (especially if individuals have free rein to develop their own copilots or GPTs), the attack surface drastically increases.”
Randall noted, “each copilot or GPT can hold API keys, OAuth tokens, or delegated permissions (for example, ‘read SharePoint docs, query CRM data, send emails.’). This is certainly where I think organizations need to be concerned: the gap between agentic AI rollout and AI governance grows increasingly wider.”
