CSA and Aembit Survey: 68% of Organizations Can’t Distinguish AI Agent Actions from Human Activity
None
<p>AI agents are already deployed broadly across enterprise environments. The problem is that organizations can’t tell what they’re doing.</p><p>That’s the core finding of a new survey report released at RSAC 2026 by the Cloud Security Alliance, commissioned by Aembit. The “Identity and Access Gaps in the Age of Autonomous AI” report surveyed 228 IT and security professionals in January 2026 and found that identity governance for AI agents is, in most organizations, essentially improvised.</p><p>The headline number: 68% of organizations cannot clearly distinguish between human and AI agent activity, even as 73% expect AI agents to become vital to their operations within the next year. Eighty-five percent say AI agents are already running in production environments, across task automation (67%), research (52%), developer assistance (50%), and security monitoring (50%). In other words, these agents are doing real work inside real systems with real access, and most organizations lack the controls to attribute their actions.</p><p>The identity situation is particularly fragmented. Fifty-two percent of organizations use workload identities for agents, 43% rely on shared service accounts, and 31% allow agents to operate under human user identities. Nearly three-quarters (74%) say agents often receive more access than necessary. Seventy-nine percent believe agents create new access pathways that are difficult to monitor. Only 22% report that access frameworks are applied “very consistently” to AI agents.</p><p>Ownership is scattered too: 28% say security leads responsibility, followed by development and engineering (21%) and IT (19%). Only 9% point to IAM teams.</p><p>“AI agents are inheriting human permissions, operating under shared accounts, and expanding the attack surface in ways that existing IAM tools weren’t designed to handle,” said David Goldschlag, co-founder and CEO of Aembit. “Agentic autonomy without identity-level access controls is a risk organizations can’t afford to ignore.”</p><p>Hillary Baron, AVP of Research at CSA, added that existing IAM approaches “were not designed for autonomous agents and are showing strain as deployments scale.”</p><p>The full report is available from the Cloud Security Alliance. Aembit is a non-human identity and access management platform backed by $45 million in total funding.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/csa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity/" data-a2a-title="CSA and Aembit Survey: 68% of Organizations Can’t Distinguish AI Agent Actions from Human Activity"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>