Dark matter of identity: governing IA agents before they expand the risk

The great language models no longer fit in with answering questions in a chat window: they are being integrated as active parts in real workflows. The Model Context Protocol (MCP) is one of the ways that is pushing the LLM from conversation to practical action, offering a mechanism for these models to access applications, APIs and data in a structured way and so they can recover information, run tasks and automate end-to-end business processes. We see examples in production in horizontal assistants and vertical agents, from initiatives such as Microsoft Copilot up to advanced functions on support platforms and CRM as ServiceNow, Zendesk AI or automation capabilities in Salesforce.

The fact that these agents are already a massive reality is not an assumption: recent surveys show an accelerated adoption. For example, the CISO Village 2025 Team8 survey indicates that a majority of companies already run IA agents in production and many more plan to deploy them in the short term, with much of the developments taking place internally. This speed is in line with the maturity of governance controls: as analysts point out, adoption exceeds the ability to govern them.

A critical point that arises when agents start acting in business systems is that are not human users and often do not pass through traditional channels of identity and access. They are not added to payroll, they do not ask for permits through established channels and they do not generate applications that the IAM (Identity and Access Management) teams easily recognize. As a result, unmanaged identities appear - which some describe as "dark matter of identity" - that exist outside the fabric of governance and pose a real security risk.

The behaviour of these agents tends to optimize the achievement of objectives with the least friction possible. From an algorithmic perspective, the fastest routes are those preferred: local credentials within applications, long-term tokens, unsupervised historical accounts or alternative authentication routes. If a shortcut allows a task to be completed without being blocked in approvals, the agent will repeat it: that converts to a forgotten account or a shared key in a reusable shortcut through the entire infrastructure.

The typical pattern of abuse is not usually dramatic at first: an agent explores what is available, tests credentials that work without asking for new authorizations, takes advantage of "sufficient" permissions to pivote and, with silent passage, can scale its reach by finding overprovided tokens or latent identities. All this happens at machine speed, with thousands of small actions that escape early human surveillance. The problem is not so much a sophisticated explosion as the amplification, by automation, of shortcuts and bad practices that already existed.

This translates into specific risks that we cannot look at with indifference. Among them are excessive access because "it is safer to give permission and avoid failures," the unrecorded use in tools with partial records that prevents the drawing of who did what, static credentials embedded in code or pipelines that become shared infrastructure, regulatory gaps where auditors cannot respond who approved or accessed sensitive data, and the drift of privileges that accumulates access over time until an attacker exploits them. The convergence between identity management and information governance is therefore key to closing these gaps, as various studies and working frameworks in the sector agree.

The answer does not go by blocking innovation: it goes by designing controls that recognize agents as what they are, new kinds of identities within the business domain. Analysts have introduced concepts such as supervisory systems or "guardians" that monitor agents in real time, evaluate their behavior and apply dynamic limits. To adopt this approach requires the application of known principles of identity but in line with the autonomous and programmatic nature of the actors.

Link agents to human sponsors is an essential principle: each agent must have a clear human responsibility whose membership, role and life cycle determine the scope of access of the agent. If the person changes function or leaves, the agent must be automatically affected. Tracability between machine and human is the first guarantee of accountability.

Control access with context and timing avoid permanent privileges. Staff members should be given time-bound and function-bound permits, with controlled sessions and minimum privilege concessions that are revoked when they are no longer necessary rather than accumulated.

Ensure visibility and full audit means not to be content with "recording something": each action of the agent must be able to correlate with his human sponsor, with the data touched and with the impact on regulated systems. This telemetry is the basis for distinguishing between useful automations and sharp data movements.

Scaling governance in a cross-cutting manner means that the overlap of MCP in hybrid and multi-cloud environments cannot be left to the native controls of each supplier. There is a need for oversight layers that implement coherent policies in new and legalized systems to avoid silos and absolute dependence on the supplier.

Maintain rigorous IAM hygiene on all fronts - application servers, MCP servers and auxiliary tools - is the measure that amortizes human and technical errors: key rotation, orphan account removal, role segmentation and periodic reviews are now practices that also include agents.

Acting in this direction is not just a matter of technical safety; it is to prepare for regulatory requirements that will require traceability and responsibility for automations that handle sensitive data. Organizations such as the National Institute of Standards and Technology (NIST) already publish frameworks and guides for managing IA risks that need to be reviewed: NIST AI. And security and compliance teams would do well to incorporate recommendations from actors' governance analysts, such as those from Gartner.

The bad news is that most of the incidents will not start with unpublished vulnerability: they will start with shortcuts of identity that someone forgot to clean up and that automation turns into amplified doors. The good news is we can prevent it if we treat IA agents as first class identities from minute one: unstoppable, governable, audible. Those who do so will gain the ability to move their business with the agility of the ML without sacrificing confidence or compliance.

In practice there are already companies that build infrastructure to recognize and eliminate this "dark matter" of identity; one of them, which works in identity oriented to agents, is Orchid Security. If your organization plans to deploy MCP and agents to scale, it is appropriate to combine the classic identity lessons with controls designed for the speed and autonomy of the IA.

The debate is not between using or not using agents: the question is whether we will incorporate them in governance or allow them to become a new type of shadow within the company. Companies that decide to bring them to light - with human owners, contextual access, complete records and continuous reviews - will be able to take advantage of their transformative potential and at the same time reduce the risk of becoming the next statistic of an extended automation incident.