Only 57% of enterprise applications actually report into a central identity provider, 67% of non-human identities authenticate locally outside any IdP, 40% of accounts are orphaned, and 70% of apps carry excessive privilege. That sprawl already breaks the static “who has access to what” model — adding autonomous agents acting on behalf of humans and services pushes it past the point of being recoverable with traditional IAM.

Roy Katmor, CEO and co-founder of Orchid Security, sits down with Alan Shimel to walk through Orchid’s 2026 Identity Gap report and what they’re calling identity dark matter — the entitlements, service accounts and forgotten credentials that exist in production but aren’t governed by anything. His argument is that this hidden layer was already the single biggest source of identity risk before AI agents arrived; once agents start inheriting human and service identities to take action, every blind spot becomes a privilege escalation path waiting to be exploited.

Katmor walks through why classical IAM stacks can’t model what’s happening. Static entitlements assume long-lived users and predictable workflows; agentic systems improvise, chain tools together and produce sequences of actions no permission catalog anticipated. The fix has to move identity from “what role does this principal have” to “what is this principal trying to do right now, on whose behalf, and is that within policy” — continuous, intent-aware delegation rather than upfront role assignment.

The bigger architectural shift is treating identity as an orchestration and control plane rather than a directory. Pulling humans, non-human identities and AI agents into the same governance fabric, with discovery for the apps and accounts that aren’t in any IdP today, is what separates organizations that can credibly deploy agentic AI from the ones that will quietly accumulate years of unauditable agent behavior inside their environment.