The deepest argument in “The AI Agent Governance Gap” report by US-based API management company Gravitee is not really about AI hype, or even security budgets. It is about identity.
More precisely, it is about the fact that most enterprises still do not treat AI agents as independent digital actors within their security model, even though those agents can read, write, trigger, and transact across core systems.
That omission sounds technical. It is actually foundational. The report says fewer than 22 per cent of enterprises treat AI agents as first-class security identities. It also says 60 per cent still rely on legacy authentication patterns designed for human workflows, including session management and password-based approaches that make little sense for autonomous software. Add in the finding that 86 per cent do not enforce access policies for AI identities at all, and the result looks less like a governance gap and more like a missing layer in the architecture.
Also Read: AI agents are already inside your systems, but who’s controlling them?
For Southeast Asia’s enterprises, this should be a flashing red light. The region is building increasingly API-heavy businesses: digital banks, super apps, regional e-commerce platforms, supply-chain networks, healthtech systems, and public digital services. AI agents are being introduced into precisely these environments because they can switch between tools quickly. But that also means they can quickly accumulate privileges, often by inheriting credentials from the applications or service accounts around them.
Borrowed badges are not good enough
Most enterprises are still comfortable with two main identity categories: humans and machine accounts. Human accounts belong to employees. Machine accounts belong to applications or services. AI agents do not fit neatly into either box.
An AI agent is not merely an application process. It may take natural-language instructions, decide which tools to call, reason across multiple steps, escalate or delegate subtasks, and adapt its behaviour to context. Giving that kind of entity a generic service account is like issuing a blank company pass to a visitor and hoping common sense does the rest.
That is the structural weakness Gravitee is highlighting. If an agent borrows the identity of its parent system, security teams cannot easily distinguish what the system did from what the agent did. They cannot apply a tailored policy. They cannot limit access cleanly by task or time window. They cannot generate a clean forensic record if something goes wrong.
In Southeast Asia, this problem is magnified by enterprise sprawl. Large regional companies often operate shared services across several countries, with integrations built over the years by different teams and vendors. Service accounts are already hard to track. When AI agents start riding on top of those accounts, visibility degrades further.
Why token scope suddenly matters a great deal
The report points towards a more modern security approach: structured provisioning, scope-limited authorisation, contextual decision-making, continuous monitoring, and audit trails that survive forensic scrutiny. In practical terms, that means every agent should have a clearly defined owner, a lifecycle, a limited set of authorised resources and a way to prove why it was allowed to act.
This is where standards and policy models start to matter. Gravitee references OAuth 2.1, resource indicators from RFC 8707 and fine-grained authorisation models such as attribute-based access control and relationship-based access control. Stripped of jargon, the idea is straightforward: a token issued to an agent should be narrowly scoped to the exact resources and operations it needs, for the shortest practical duration, with policy checks happening at runtime.
That matters because agents are not static users. They are dynamic callers. A finance agent may need read-only access to invoices but no permission to approve payment. A support agent may retrieve customer history, but should not be able to alter refund rules. A procurement agent may query supplier data in one jurisdiction but not exfiltrate it into another system or region.
Without those boundaries, enterprises are effectively granting AI agents the corporate equivalent of all-area backstage passes.
Southeast Asia’s API economy makes this urgent
This identity issue is not a niche concern for security architects. It sits directly in the path of Southeast Asia’s digital economy. The region’s leading companies are heavily API-driven, and many are building around orchestration rather than monolithic software stacks. Payments talk to fraud systems. Commerce platforms talk to logistics providers. Internal dashboards talk to data pipelines. Customer service tools talk to CRMs and knowledge bases.
Also Read: It’s not the chatbot but the access: Why AI agents are the real threat
AI agents thrive in these environments because APIs are precisely how they take action. The more connected the business, the more useful agents become. But usefulness without identity discipline is a recipe for hidden privilege.
This should concern sectors beyond pure tech. Banks deploying internal AI assistants, hospitals experimenting with clinical workflow tools, manufacturers using autonomous planning systems and public agencies digitising citizen services all face the same core question: is the agent acting under its own identity, or is it effectively piggybacking on somebody else’s authority?
If the answer is the latter, governance will always be weaker than leadership assumes.
Discovery is becoming the first security control
One telling detail in the report is where CISOs say they would invest if money were not a constraint. Some 73 per cent prioritised API and workload identity discovery and inventory, while 68 per cent focused on continuous monitoring and posture analytics. That is revealing. Security leaders are not asking for shinier dashboards because they are bored. They are asking because they do not know what identities already exist in their environments.
This is a particularly relevant issue in Southeast Asia, where outsourced development, cloud migration and rapid business expansion often leave identity estates fragmented. Companies may have one set of rules for workforce access, another for developer access, a different one for legacy applications and almost none for non-human agents. That fragmentation is manageable until AI agents start hopping between layers.
At that point, identity inventory becomes the prerequisite for everything else. If an organisation cannot enumerate its AI agents, trace their permissions and map their ownership, then access policy is theatre.
The next generation of IAM will be judged by how it handles agents
Identity and access management vendors often talk about zero trust, least privilege and continuous verification. AI agents are the stress test for whether those ideas can survive contact with real enterprise automation.
The hard truth is that many current IAM implementations were not built for autonomous actors that generate tool calls, request tokens, move across contexts and perform chained operations at machine speed. That does not mean enterprises must rip everything out. It means they need to extend identity thinking beyond employees and servers.
For Southeast Asian organisations, the prize for getting this right is significant. Companies that can issue scoped, observable, revocable identities to AI agents will be able to automate more confidently across borders, business units and regulated workflows. Those that cannot will remain trapped in a cycle of cautious pilots, brittle integrations and periodic security panic.
The enterprise AI debate often fixates on model performance. But the bigger competitive question may be simpler: can your organisation tell who the agent is, what it is allowed to do and why it was allowed to do it?
If not, the system is not truly governed. It is merely busy.
The post The hidden risk in AI adoption: Unchecked agent privileges appeared first on e27.