Joiner for AI Agents: The Workforce Nobody Hired

Part 1 of a four-part series on Joiner/Mover/Leaver for AI agents.

A large US enterprise you'd recognize ran an internal audit last quarter. They wanted a list of every AI agent operating inside their environment. Coding agents, copilots, chatbots, desktop automations, SOC triage bots. The audit went nowhere because no system of record could produce the list.

This is how AI agents join your organization today: quietly, at engineering speed, and with credentials issued by whoever needed them issued.

It's also your Joiner workflow broken at the front door. And it's the first blog in a four-part series on what happens when you apply the oldest discipline in identity governance to the newest class of worker. The problem shows up everywhere, but regulated industries - banks, insurers, healthcare systems, critical infrastructure operators - are where it hits first and hardest.

The Shape of the Problem

Non-human identities like service accounts, API keys, bots, and AI agents grew 44% year-over-year between H1 2024 and H1 2025, according to Entro Labs. They now outnumber human identities 144 to 1 in the average enterprise. SANS' 2026 Identity Threats & Defenses Survey found that 74% of organizations are already running AI agents or automations that require credentials. And 5% of security leaders can't confirm whether agentic AI is running in their environment at all.

Five percent doesn't sound like much until you translate it: one in twenty CISOs at a major bank can't answer the question "do you have AI agents in production." That's a visibility gap wide enough to swallow an audit finding.

That gap compounds. A SailPoint-commissioned study found 96% of technology leaders agree AI agents pose a growing security threat. Fewer can say what specifically they are doing about it.

How a Human Joins the Enterprise

The Joiner workflow for humans is boring. That's why it works.

Offer letter signed in the applicant tracking system. Workday creates the employee record on day one. SSO provisions a directory identity. SailPoint reads the HR event and assigns a role - birthright access for the job family, plus conditional access through manager approval. Every entitlement is traceable to a person, a title, and a date. Quarterly access reviews hit a manager's inbox. The framework is imperfect - rubber-stamping is real, legacy apps fall outside the API perimeter - but the skeleton is intact.

A person does not get hired by a Fortune 500 company without someone knowing.

How an AI Agent Joins the Enterprise

An engineer on the fraud team decides they need a coding agent to help ship a rules update. They provision a service account. They generate an API key. They paste the key into the CI/CD config. The agent is now authenticated into the codebase, the build pipeline, and whatever downstream systems the pipeline touches.

No offer letter. No HR record. No manager approval. No SailPoint role. No quarterly review.

A different team stands up a treasury copilot. They grant the copilot's OAuth app access to a shared mailbox and a set of SharePoint sites. A product manager clicks "Allow" on a permission scope that includes read access to every calendar the approving user can see. That permission inherits through the directory. Now the copilot has access to every meeting the approving user has ever been invited to.

No SoD check. No classification tier. No ownership record.

Multiply this across a typical enterprise engineering org, and you end up with what the OWASP Non-Human Identities Top 10 calls the NHI inventory problem: organizations cannot produce a full list of the agents they already run. That's because most enterprises still manage AI identities with legacy IAM tools and manual processes that were never designed for autonomous, high-velocity systems.

Where Joiner Fails

Every weakness in the human Joiner workflow gets amplified for agents.

Ownership is missing. Veza's 2026 State of Identity & Access Report analyzed millions of identities across enterprises and found 824,000 orphaned accounts - 8% of the total - with no human owner in HR but live entitlements still attached. Those are the ones that made it into the IGA tool. Agents provisioned through API keys and local config files often aren't in the IGA tool at all. 

Over-provisioning at birth. Veza's research also found that 0.01% of NHIs control 80% of all cloud permissions. A tiny fraction of machine identities - often agents and service accounts spun up for admin tasks and never right-sized - hold most of the cloud power in the enterprise. A human who joined with AWS root credentials would set off every alarm on the SIEM. An agent spun up with the same privileges generates a Jira ticket, at most.

No classification tier. A human is hired as a junior analyst or a managing director, and the birthright access reflects the classification. An agent is "a service account" or "an integration" regardless of whether it's triaging SOC alerts or drafting marketing copy. The risk difference between those two is several orders of magnitude, yet the entitlement difference often isn't.

No segregation of duties enforcement. A treasury copilot that can both read account data and initiate wire transfers violates SoD. A coding agent that can both write code and approve deployments to production violates SoD. These policies are already baked into every SOX program at every bank, but the enforcement engine doesn't see agents, so it doesn't fire.

What Joiner Should Look Like for AI Agents

The fix is not novel. It's the Joiner workflow humans already have, extended.

Agent as first-class identity object. A distinct identity type with its own metadata, including owning team, purpose, deploying platform, classification tier, and lifecycle state. It should be registered before credentials are issued and discoverable by the IGA tool.

Approval workflow at provisioning. Every agent needs a named human owner who signs off before the credential is ever minted. If no human will own it, it shouldn't run. Anthropic, AWS, Microsoft, Salesforce, and ServiceNow all ship agent platforms today. Every one of those platforms needs to plug into the approval pipeline at the front door.

Birthright definition by classification. Tier-1 agents (customer-facing, touching production systems) get the strictest birthright - short-lived credentials, least-privileged scoped access, mandatory SoD check, monitored from day one. Tier-3 agents (internal, low-risk) get a lighter-weight path. The tiering already exists for humans, and we should be extending it to agents.

Entitlement aggregation from day one. Just as SailPoint aggregates human entitlements from connected applications, banks need continuous, automated aggregation of agent entitlements, not self-reported. What can this agent do, on which systems, at what level. 
SoD policy at provisioning. The SoX controls that apply to humans apply to agents. Check before the agent is live, not during the next audit cycle.

The Regulatory Window

Regulators are circling but haven't landed. The OCC's April 2026 revised Model Risk Management guidance stated that generative and agentic AI models are novel and rapidly evolving and therefore outside the scope of the current guidance, and flagged that an RFI specifically on banks' use of AI, including agentic AI, is coming. DORA covers ICT third-party risk, which includes AI service providers. SOX controls on system access don't distinguish between human and artificial actors. The EU AI Act is already live for high-risk systems, and sector-specific guidance in healthcare, insurance, and critical infrastructure is on the same trajectory.

When the RFIs land, the questions will be familiar. Show us your inventory. Show us who approved access. Show us the review cadence. Show us segregation of duties enforcement. Show us decommissioning.

No enterprise can answer those questions today for AI agents. The ones that can in twenty-four months will define the framework regulators codify.

Joiner is the easy part. It happens once. The hard part is what happens after, when the agent's scope expands, when the model updates, or when the vendor ships a new capability.

That's Mover. Part 2 next.