
Modern enterprises are rapidly adopting agentic artificial intelligence (AI), but governance is failing to keep pace with the technology's growing capabilities and risks, according to Eric Kong, Group Vice President for ASEAN at SailPoint.
Kong said AI agents are no longer experimental tools but autonomous systems already operating inside enterprises. Unlike traditional software that follows predefined logic, AI agents reason through tasks independently, making their behavior less predictable once deployed.
He noted that the rapid expansion of AI investment is accelerating the challenge. Across the Asia-Pacific region, IDC projects AI and generative AI spending to reach $175 billion by 2028, with agentic systems accounting for an increasing share of that investment.
According to Kong, AI agents rely on machine identities such as service accounts, API tokens, and system credentials to access enterprise applications and data. However, governance of these non-human identities remains one of the least mature areas of identity and access management despite their growing importance.
He cited Gartner's assessment that machine identity access management is among the least developed aspects of enterprise IAM programs, even as machine identities now outnumber human users. Yet, most organizations continue to define only human identities as privileged accounts.
Kong said over-permissioning remains the most common security weakness, with AI agents frequently receiving broader system access than necessary because organizations prioritize functionality over restrictions and purpose-built governance tools are still evolving.
He added that while 77 percent of organizations rely on existing IAM platforms to monitor machine identities, only 2 percent have deployed dedicated non-human identity security tools.
The consequences are already becoming evident, he said, pointing to research showing that 80 percent of organizations have experienced AI agents performing unintended actions, including accessing or sharing sensitive information.
Kong warned that the bigger concern is the gap between confidence and actual governance capability. While many technology leaders believe they can manage AI risks, organizations often lack clear accountability over what AI agents can access and the decisions they influence.
As AI systems become more autonomous and multi-agent architectures continue to expand, he said the risks will increase, particularly when agents interact with systems beyond an organization's direct control.
To address these challenges, Kong said organizations should treat every AI agent as a distinct identity with clearly defined ownership, limited access privileges, and continuous oversight throughout its lifecycle. He also stressed the need for continuous monitoring instead of relying solely on periodic audits.
Kong said SailPoint is advancing what it calls an "Agentic Fabric," an identity-first governance framework designed to discover, govern, and continuously monitor AI agent identities across both commercial and custom-built AI environments.
"The productivity case for AI agents is real. So is the risk. What determines which side dominates is not the sophistication of the agent — it is the quality of the governance built around it," Kong said.