Everyone is talking about governing AI agents right now — and they should be. Autonomous agents are multiplying fast, and giving them the right access without opening new risk is a genuine, urgent problem.
But there’s a more immediate identity problem sitting in plain sight: the human workforce identity challenge still hasn’t been solved.
That matters, because AI agents don’t appear out of thin air. People provision them, configure them, approve their access, and live with the consequences when identity controls are weak or buried under complexity. If the humans standing up your agents are working from excessive access, clunky workflows, and rubber-stamped reviews, then AI governance is being built on an unstable foundation.
And it isn’t close. Recent industry surveys continue to show that a large share of employees hold more access than their jobs require — by some 2025 research, roughly half carry excessive or privileged access. Excessive standing access is exactly what turns a single compromised account or a careless insider into a company-wide breach. The exposure is widespread, and it isn’t shrinking on its own.
Here’s what often gets missed: this isn’t only a policy problem. It’s a usability problem. When access requests and certifications are too complicated, people cope in predictable ways. They route everything to the help desk. Or they click “approve” on a certification just to make the friction stop. Either way, the controls on paper stop matching reality — and the risk you thought you’d governed is still sitting there. Multiply that across thousands of users and dozens of systems, and “governed” becomes a story you tell auditors, not a state you’re actually in.
You can’t certify what you don’t understand. And too many identity tools make understanding the hard part.
This is exactly why a familiar environment is more than a convenience. Clear Skye delivers workforce identity natively on the ServiceNow platform — through the same workflows and interfaces people already use every day. Familiar workflows lower the training burden, reduce user resistance, and make it far more likely that access decisions get made deliberately instead of rushed.
In identity, adoption is a security control. A governance process people actually follow will protect you better than a more sophisticated one they quietly work around.
ServiceNow’s own moves show where the market’s attention is heading. Its acquisition of Veza, which closed in March 2026, added serious identity-security capability — and the public direction, anchored by the AI Control Tower it expanded at Knowledge 2026, points that capability squarely at governing AI, machine, and other non-human identities at scale.
That’s a strong path for the agentic future. But it doesn’t change the order of operations. Governing AI agents assumes the people behind them already operate under clean, usable, well-governed identity. An agent provisioned by someone with bloated access tends to inherit that bloat — and then acts on it faster than any human ever could. If the humans still carry excessive access and weak governance habits, no amount of agent oversight fixes the underlying exposure. You’d be solving the second problem before the first one is under control.
None of this is an argument against governing AI agents. It’s an argument about sequence. The organizations that will govern agents well are the ones that already have workforce identity under control: access that’s right-sized, processes people genuinely use, and decisions made with understanding rather than fatigue.
That part is solvable today. Clear Skye does it natively on ServiceNow, in the environment your people already work in. For many organizations, that’s the more urgent — and more foundational — place to start.
