Mover for AI Agents: The Promotion Nobody Approved

Part 2 of a four-part series on Joiner/Mover/Leaver for AI Agents.

Here is a story that actually happened. An enterprise customer of Nudge Security ran a report on their organization and discovered 800 new AI notetaker accounts had been created in the prior 90 days, nearly double the total created across the previous several years combined. The app hadn't been formally approved. Nobody in security had seen it coming. It had spread through the company virally.

The notetaker used what Nudge called a "dark pattern": when one employee shared a call recording with a colleague, the app required the colleague to sign up before they could view it. Signing up triggered an OAuth consent screen requesting access to every calendar the new user could see. One click, and the Agent added itself to every meeting going forward. Then those meetings got shared, resulting in more sign-ups, more calendar access, and silent compounding growth.

The Agent's access moved laterally, across departments, into meetings it was never authorized to attend. One Reddit user shared the downstream consequence: during a job interview, an Otter.ai notetaker joined without the candidate's knowledge, recorded the conversation, and automatically emailed the transcript to every interviewer. The candidate said she lost the opportunity.

The class-action lawsuit landed against Otter.ai in August 2025. It alleged violations of federal and California wiretap laws, plus using recorded conversations to train the vendor's AI models. By then, the Agent had already moved inside thousands of organizations.

This is Mover for AI Agents. And it is the second blog in a four-part series on applying the JML framework to a workforce that was never supposed to need one.

The Human Mover Workflow Still Sort of Works

A human transfers from commercial lending to treasury, and Workday fires an event. The new manager certifies new access requests. Old access is flagged for removal. A quarterly access review catches what slips through. It's neither elegant nor real-time, but the framework exists, and in a regulated environment, it has to clear an audit.

The weakness is well-documented. SailPoint's own customer success content acknowledges that certification fatigue drives rubber-stamp approval. Reviewers facing hundreds or thousands of line items click approve because they can't realistically evaluate each one. Managers with ten direct reports across two hundred applications end up with thousands of entitlements to review. Rubber-stamping becomes the path of least resistance.

But even with rubber-stamping, human Mover has one thing going for it: the review happens. Someone at least touches the record.

Mover for AI Agents: The Review Doesn't Happen at All

There is no Workday event when an Agent gets promoted. There is no HR trigger when a copilot's OAuth app requests new scopes. There is no access review when an engineer wires an existing Agent into a new tool. There is no certification when the vendor pushes a model update that expands the Agent's capabilities.

Every one of these is a Mover event, yet none of them fires a review because the mechanics of Agent Mover are invisible by design:

Feature expansion. A vendor ships a new version of their copilot. The new version needs an expanded OAuth scope. A user clicks "Accept" on the permission screen. The Agent just got promoted.

Tool wiring. An engineer hooks an existing coding Agent into the production database for a new use case. The service account adds a new role. No request, no approval, no aggregation back into the IGA layer.

Model swap. The platform provider updates the underlying model. Capabilities and failure modes change. The governance record says the Agent is unchanged.

Scope drift. The Agent is granted temporary access for a project, and the access never gets removed when the project ends. It’s classic privilege creep, but on an engineering timescale rather than an HR timescale.

Only 12% of organizations report automated lifecycle management for machine identities. For the other 88%, when an Agent's role changes, the change isn't tracked automatically.

Nobody files the ticket.

The Shady Vendor Problem

Mover gets more interesting when the promotion isn't of the Agent itself. Changes in the vendor behind the Agent are where the framework really breaks.

Imagine you approved a notetaker vendor six months ago. The product and contracts were fine. Today, that vendor gets sued for recording conversations without all-party consent and training its models on the recordings. Or a security researcher publishes a vulnerability in the vendor's OAuth implementation. Or the vendor gets acquired by a company with a worse data handling posture.

What do you do?

If a human employee gets caught committing fraud, HR has an emergency termination workflow. IT can revoke all access in minutes. The muscle memory is there.

The equivalent for an AI Agent vendor looks like a series of unanswerable questions:

1. Can you produce a complete list of every system, mailbox, calendar, SharePoint site, and codebase the vendor's Agent is integrated with?

2. Can you revoke all OAuth grants for that vendor across every employee in a single action?

3. Do you know which employees authorized which scopes, so you can notify them and audit what was exposed?

4. Can you verify (not take the vendor's word for it) that cached data has been deleted?

5. Can you confirm that no backdoor service accounts or API keys remain after the OAuth revocation?

The answers at most enterprises today, honestly, are: no, no, partially, no, and no.

This is what the Otter.ai class action exposed, even before any court ruling. The companies with Otter integrations in late 2025 couldn't tell their employees what had been recorded, what had been used for training, or what still lived in the vendor's environment after they tried to revoke access. The review that Mover is supposed to catalyze, the moment where somebody asks "should this Agent still have this access, given what we know now," never happened. The inventory to support that question never existed.

Why Agent Mover Is Harder Than Human Mover

There are four structural reasons worth naming:

1. No natural trigger event. HR systems produce Mover events: transfer, promotion, department change. Engineering systems don't. An Agent's scope expands inside a pull request, not inside Workday.

2. No shedding. Humans forget they have access and lose sight of old entitlements, but Agents don't. A config file from two years ago still authenticates. Privilege creep for humans is passive; for Agents it's permanent.

3. Engineering, not HR timescales. Human Mover cycles on quarters but Agent Mover cycles on sprints. A quarterly access review is physically incapable of keeping up.

4. Vendor-initiated changes. A human employee doesn't unilaterally expand their own access. An AI vendor can push a software update overnight that expands its Agent's capabilities across every customer simultaneously. The trigger for the review lives outside the enterprise.
   
   

What This Looks Like From Inside an Agent Company

At Opnova, we build AI agents that work across the same systems your employees do - browsers, desktop apps, internal tools nobody has gotten around to APIing. From that vantage point, the Mover problem the industry is debating today is the easy version. Notetakers and chat copilots live inside narrow OAuth boundaries: a finite set of scopes, one provider, one revoke button (in theory). The agents enterprises are deploying next - the ones doing work, not just summarizing it - accumulate permissions across systems that were never designed to be reconciled. A single agent might hold a Salesforce session, a database credential, an RPA service account, and an OAuth grant into Microsoft 365, all attached to the same logical identity but represented in four different systems that don't talk to each other.

Its "promotion" isn't a scope change anymore. It's a quiet expansion of the union of everything the Agent can do, and no IGA tool on the market today can render that union as a single sentence - let alone a single review. The Mover conversation we're having in 2026 will look quaint in eighteen months. Today's debate is whether OAuth scopes get reviewed quarterly or in real time.

This is the question we keep coming back to: can anyone in the org describe, on any given Tuesday, what a given Agent is currently capable of doing if instructed? We don't have a clean answer yet. We're not sure anyone does. But we're convinced it's the question the industry should be organizing around.

What Mover Should Look Like for AI Agents

The fix is to have reviews fire on events instead of calendars. For example:

• Model updated by vendor → recertify the Agent's entitlements against current capability.

• OAuth scope expansion requested → route to the original approver, not the individual user.

• New system wired into existing Agent → trigger SoD check, trigger classification review.

• Vendor security posture changes → automatic escalation and access freeze pending review.

• Agent dormancy detected → automated right-sizing or decommission path.

SailPoint announced in March 2026 that it's moving toward real-time governance for AI identities, with a next-generation certification engine and a rebuilt Separation of Duties layer shipping in the second half of this year. AWS signed a strategic collaboration to extend that model across Agentic workloads on Bedrock. They opted for continuous, event-driven, automated processes over quarterly, manual, and rubber-stamped.

But real-time governance only works if the underlying identity graph is complete. If the Agent lives in an application that doesn't expose a native API for entitlement aggregation, the review can't fire because the data doesn't exist. Most enterprise portfolios contain dozens of such apps. The Mover gap for Agents is a superset of the disconnected-apps gap that already plagues human IGA today.

Which brings us to the next part of this series. If Joiner and Mover are broken, Leaver is catastrophic. Agents don't quit, and most enterprises have no process for firing them.

That's Leaver. Part 3 next.