MICKAI
Article · 4 July 2026

92 Percent of Security Leaders Cannot See Their AI Identities. That Is a Governance Emergency

A 2026 survey exposes an agent-identity blind spot that is really an audit gap, and why the per-action signed record only holds inside owned walls

92 Percent of Security Leaders Cannot See Their AI Identities. That Is a Governance Emergency
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
AI governanceagent identityauditCISOsigned attestation

!A cinematic Greek figure of Chronos, keeper of the audit trail, rendered in gold against a void-black field, holding an unbroken ledger of time

Ask a room of CISOs how many human employees they can name, deprovision, and audit on demand, and nearly every hand goes up. Ask the same room how many of the AI identities running inside their estate they can see in full, and the room goes quiet. A 2026 survey of 235 large-enterprise security leaders put a number on that silence: 92 percent lack full visibility into their AI identities. Eighty-six percent do not enforce access policies for them. Seventy-one percent say AI already reaches into core ERP, CRM, and financial systems. And only 16 percent believe they govern that access effectively.

We build for regulated organisations, and we read those figures as one thing above all others. This is not primarily an access-control gap. It is an audit gap. And an audit gap is a governance emergency wearing a convenience costume.

The blind spot is an audit problem before it is an access problem

Most of the coverage of these numbers reaches for the obvious lever: tighten access, enforce least privilege for agents the way you do for people. That is correct and it is not enough. Access policy tells you what an identity is allowed to do. It does not tell you, after the fact, what it actually did, in what order, on whose authority, against which record. When an agent with standing access to your general ledger posts a journal entry at 03:14, the question your auditor, your regulator, and your board will ask is not "was it permitted." It is "prove exactly what happened, and prove the proof has not been altered."

That is the layer 92 percent of the market cannot produce. Human identities leave a reviewable trail because decades of tooling grew up around them: SIEM, IAM, privileged-access logs, ticket references. AI identities were bolted onto that world at machine speed and machine volume, and the trail thinned out to almost nothing. You end up with an actor that can touch financial systems, act thousands of times an hour, and leave behind a log you cannot fully attribute or fully trust.

Why the usual logging does not close it

Enterprises are not doing nothing. They have application logs, cloud audit trails, model-gateway records. The problem is that these records are descriptive, not evidential. A conventional log says an event was written; it does not, by itself, prove who authorised the action, that the record is complete, or that no one with database access edited it afterward. In a shared third-party environment the person able to alter the log may be someone you cannot see and cannot vet.

This is the residual-risk line that our founder keeps returning to, because it is the part conventional controls cannot answer:

> "If you are a multibillion-dollar company running on Anthropic or OpenAI, and your direct competitor of comparable scale sits on the same vendor stack, what stops them paying a vendor insider to leak your data, your tactics, your leads, your sales strategy? Inside a third-party cloud, there is no safeguard you can verify from the outside. The only answer is a sovereign system where you hold the keys, with no third-party cloud data path." > > Micky Irons, founder and CEO, Mickai LTD.

SOC 2 and ISO 27001 attestations describe a provider's controls. They do not hand a multibillion-pound customer a verifiable answer to "what stops your engineer, or a rival's money, from touching my agent's audit record." That is not an argument against hyperscalers, whose products remain valuable for most workloads. It is a boundary: for the slice of activity where an AI identity acts on regulated, competitive, or financially material data, the safeguard has to be one the operator can verify from the inside.

Classical marble scene, Aegis, gold rim light on void black

The missing layer: a signed record on every action

The fix we designed for is not a better dashboard. It is a per-action, cryptographically-signed audit record, generated at the moment the AI identity acts and bound to that action so it cannot be silently altered afterward. Every step an agent takes, the read, the tool call, the write, the approval it relied on, produces its own signed attestation. The record is tamper-evident by construction: change one entry and the signature no longer verifies.

That turns the 92 percent blind spot into something a governance function can actually stand behind. You move from "we log agent activity" to "we can produce a verifiable, non-repudiable account of every action any AI identity took, and demonstrate the account is intact." That is the difference between a story and evidence. It is what a DORA operational-resilience review, an FCA or PRA supervisor, an internal-audit committee, or a breach investigation actually needs, and it is the layer almost no one currently has for their agents.

!A gold figure of Hades enthroned before a sealed vault, evoking permanence and an audit record that cannot be quietly rewritten

Why it only holds inside owned walls

Here is the part the market keeps skipping. A signed audit record is only as trustworthy as the walls it lives in. If the signing keys, the record store, and the runtime all sit inside a shared third-party environment, you are back to trusting a party you cannot fully see. The attestation proves the record was not altered by someone without the key. It cannot protect you from whoever holds the key on infrastructure you do not control.

That is why we built Mickai as a Sovereign Intelligence Operating System, a SIOS the regulated organisation owns and runs inside its own walls, air-gapped where the workload demands it, with operator-held keys and the signed audit record generated on the operator's own substrate. The attestation and the keys never leave your control. The audit record answers to you, not to a vendor.

We want to be precise and honest about the market, because over-claiming helps no one. Almost every regime, DORA, the FCA and PRA, the EBA, the NHS Data Security and Protection Toolkit, GDPR, permits cloud with the right controls. The genuine no-cloud bar is workload-level: classified material, ITAR-controlled data, isolated OT and SCADA, a DPIA that comes back negative. The far larger driver is preference, the desire for verifiable control, for cost predictability, and for a hard answer to data-exfiltration risk. On a register-backed view that sovereign-leaning market is roughly 16,092 UK and EU institutions, and the enterprise-AI-platform software TAM runs from about USD 13bn in 2024 toward USD 50.3bn by 2030 on Verdantix figures, roughly £11.7bn to £39.7bn. The point is not that everyone is barred from cloud. It is that a governance-grade audit record for AI identities is only fully trustworthy when the operator holds the keys, and that is a design choice, made once, that the survey shows almost no one has made.

Classical marble scene, Aegis, gold rim light on void black

The takeaway for identity-governance leads

If you own identity governance and you are scaling agentic AI, treat these four numbers as a single finding: your AI identities can act on your most sensitive systems, and you cannot yet produce a verifiable account of what they did. Closing it does not start with buying another log aggregator. It starts with deciding that every AI identity's every action must produce a signed, tamper-evident record, and that the keys and the substrate behind that record sit inside your own walls. That is the layer that turns 92 percent blind into governed, and it is the layer we built the SIOS around.

Frequently asked questions

What is an AI identity, and why can it not be governed like a service account?

An AI identity is an autonomous or semi-autonomous agent that authenticates, holds permissions, and acts across your systems. Unlike a static service account it reasons, chains tool calls, and can take thousands of context-dependent actions an hour. Static allow-lists and quarterly access reviews were built for predictable, low-volume actors; they neither constrain nor evidence what an agent actually does in the moment, which is why visibility and audit break down at agent scale.

Does a signed audit record slow the agent down?

No, in the sense that matters. The attestation is generated inline as each action executes and is designed to run at machine speed on the operator's own substrate. You are adding an evidential layer to activity that is already happening, not inserting a human approval gate. The cost is storage and key management, both of which the operator controls, in exchange for a non-repudiable record you can hand to an auditor.

How is this different from our existing SIEM or cloud audit logs?

Those systems record that events occurred, but the records are descriptive and, in a shared environment, alterable by parties you may not be able to see or vet. A per-action signed attestation is evidential: it binds authorship and integrity to each action so that any later change breaks the signature. Held on operator-owned infrastructure with operator-held keys, it answers the "prove it, and prove the proof is intact" question that conventional logs cannot.

We are permitted to run agents in the cloud. Why move the audit layer on-premises?

Because permission and verifiability are different things. Most regulators do permit cloud with controls, so this is rarely about a legal bar. It is about whether you can verify, from the inside, that no one outside your control can read the keys or alter the record. For AI identities acting on regulated, competitive, or financially material data, holding the substrate and the keys yourself is the only way to make the audit record answer to you alone.

For related reading, see our work on Auditable AI and the operator-held audit record, the sovereign-substrate case in Giants as Allies, Not Competitors, and how the SIOS seals the runtime end to end.

---

By Micky Irons, founder and CEO, Mickai. Mickai is a Sovereign Intelligence Operating System that regulated organisations own and run inside their own walls, with a cryptographically-signed audit record on every action. Our patent portfolio stands at 104 filed UK applications spanning roughly 2,340 claims across 13 families, building toward examination and grant.

!The MICKAI wordmark with the gold M lockup on a void-black field

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/ai-agent-identity-gap-92-percent-blind-and-what-signed-attestation-fixes. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Alex Karp Is Right: You Are Paying For Tokens You Cannot Audit
Alex Karp said hosted-AI vendors capture your data and bill you for unproductive tokens that create no value. He is right. We built Mickai so regulated organisations own the substrate instead of renting it, with a signed audit record on every action.
4 Jul 2026
The EU Just Pushed High-Risk AI to December 2027. Here Is What We Are Building Instead of Waiting
The Digital Omnibus provisional agreement moves the EU AI Act high-risk deadlines from August 2026 to December 2027. Most coverage frames the delay as relief. We frame it as the window to own your compliance stack outright, so you are compliant on day one in 2027 instead of retrofitting logging, oversight and traceability under a live deadline.
4 Jul 2026
Article 50 Lands in August: Machine-Detectable AI Provenance, and Why We Sign It At Source
Article 50 makes synthetic content machine-detectable from 2 August 2026, and the draft Code of Practice names C2PA as the route. We bind Content Credentials to the cryptographically-signed audit record Mickai writes on every action, so provenance is produced at source inside your own walls, not bolted onto a cloud API afterward.
4 Jul 2026
Under Oath, They Said They Could Not Say No. That Sentence Is the Whole Market
Microsoft France told the French Senate under oath that it cannot guarantee European data will never reach US authorities under the CLOUD Act, even inside a French sovereign region. We think that single sentence defines the market. Sovereign cloud is a real engineering improvement, but while the parent is US-domiciled the legal gap stays open. The only structure where the answer to a foreign subpoena is genuinely no is one you own and run inside your own walls.