Name Every Non-Human Identity On Your Campus Tonight

Name Every Non-Human Identity On Your Campus Tonight

A few weeks ago I sat across from a CIO at a private research university. Coffee, no slides, the kind of meeting where the honest answers come out. I asked her a simple question. How many non-human identities at your institution have API access to your student information system right now, and who owns each one?

She thought for a second. Then she laughed. Not because it was funny. Because she didn't have a number, and she knew she didn't have a number, and she knew that not having a number was the answer.

She is not unusual. She is the rule.

I have been making the same call on record since last fall. AI identities would cause major harm at two or more high-profile institutions inside an 18-month window. We are six months in. A major university has already been breached through a stale AI service account. The account walked out with student, faculty, and research records before anyone realized it was still authorized. The institution has not yet put its name in print. The pattern has.

I do not feel vindicated. I feel like the calendar got shorter.

The Ghost Account Grew Up And Got A Keycard

Here is what happened, based on the public reporting. An autonomous agent at a major university held credentials nobody was actively watching. The project that birthed it had moved on. The owner had changed roles, or left, or never really existed in writing. The agent kept its API scope. It kept its tokens. It kept doing whatever it was originally told to do, and a little bit more besides, until an attacker found it and used it as a foothold for lateral movement through the environment. By the time anyone noticed the credentials were compromised, the data was gone.

This is the ghost account problem. We have known about it at the human layer for twenty years. The student who graduated in 2019 whose account still has access to a shared drive. The adjunct who taught one summer and never got deprovisioned. The contractor whose Active Directory object outlived the contract by four years. Every campus has them. Every campus has been told to clean them up. Some have. Most have not.

Now the same pattern is showing up at the agent layer, and the blast radius is worse. A human ghost account at least requires someone to log in. An agent ghost account is already logged in, by design, twenty-four hours a day, with whatever permission scope was over-provisioned on day one because nobody wanted to debug least privilege during the pilot.

The Cloud Security Alliance surveyed 235 large-enterprise CISOs and CIOs this year. Ninety-two percent admit they lack full visibility into their AI agent identities. Ninety-five percent doubt they could detect or contain a compromised agent. Those numbers are not from the laggards. Those are the people running the budgets and writing the reports.

If higher ed thinks it is doing better than the Fortune 500 on this, I have a 30-minute Entra Connect sync window to sell you.

The Deployments Are Real. The Authorization Model Is Vapor.

The other side of this conversation is that the agents on campus are doing genuinely useful work. Southeast Georgia State University wired a custom agent into Banner and single sign-on. They reported a 42 percent reduction in routine call center volume, 92 percent accuracy resolving student inquiries without human intervention, and 98 percent accuracy answering registration status questions. Element451 announced its Bolt platform crossed 60 million AI-powered student journeys in May, with early adopters seeing a 35 percent lift in summer melt engagement.

Those are real outcomes. I am not the guy who dismisses them. The CIO at your peer institution sees those numbers and rightly wants the same thing on her campus by fall.

Here is the question nobody on the vendor stage is answering. When that agent reads Banner at 11 PM on a Sunday to verify a student's registration status, whose credentials is it using? What scope are those credentials limited to? Who rotates them? Who revokes them when the contract ends? Who reviews the access log? Whose name is on the line if the agent goes off-script?

I have looked at the public case studies. The integration architecture is buried beneath the outcome number. The 60 million journeys figure is impressive and, from where I sit, unauditable. Every CIO I have talked to in the last six weeks can tell me their multi-factor authentication posture, their Entra tenant configuration, and their single sign-on coverage rate. Not one has been able to tell me how many non-human identities have API access to their student information system, who owns those identities, and what the revocation procedure is when the agent's task is done.

That gap is not a vendor gap. It is not a budget gap. It is an inventory gap and an ownership gap, and the breach receipts are starting to arrive.

This Is The Load-Bearing-Human Pattern, Just Higher Up The Stack

I made a prediction last year that agentic workflows would gain capability inside major vendor solutions while the how-to-implement would be left as an exercise for the institution. That prediction is now a description.

The platforms ship the capability. The conference keynote shows the demo. The procurement office signs the order. Somewhere down the line, a single identity engineer, often the same person who used to be the IAM administrator and is now also Director of User Services and Cybersecurity, gets handed a Slack message that says can you make sure this agent has the right access by Monday. She does her best. The agent goes live. The clock starts.

Six months later the project champion takes a new job. The agent keeps running. Eighteen months later nobody on the org chart remembers commissioning it. The tokens never rotated. The scope never tightened. And one day an attacker who has been quietly probing your edge finds it.

This is the integration layer where institutions get hurt. Canvas just leaked 275 million records through what was reportedly a support-ticket workflow inside the Free-for-Teacher tier. The exact kind of low-glamor plumbing nobody puts on a roadmap slide. The fix is not to rip out the learning management system. The fix is to stop letting any single application accumulate de facto identity authority by attrition, agent by agent, integration by integration, until the application is the identity infrastructure and nobody architected it that way on purpose.

The Standards Track Is Quietly Building The Plumbing

If you only read one unglamorous thing this quarter, make it the agentic governance work happening in three places at once.

OWASP shipped its Top 10 for Agentic Applications update for 2026, with concrete guidance on OAuth 2.0 permission models, managed identity services, and runtime hardening. The OpenID Shared Signals Framework and the Continuous Access Evaluation Profile give us the event-driven primitives that finally retire the 30-minute deprovisioning lag at the identity provider layer. And a quiet IETF draft, Secure Webhook Token, is moving toward standardizing authenticated event delivery. Webhooks have been duct tape for a decade. This is the first serious attempt to give them a real token model.

None of this is exciting at a board meeting. All of it is load-bearing. The CIOs who track the standards work at this layer will spend 2027 building. The ones who do not will spend 2027 in front of a board explaining an incident.

I also owe Ellucian credit on the integration front. The launch of Ellucian Marketplace this spring, paired with the Ethos Integration Hub deployments rolling out at places like the University of Hawaii's Banner Modernization Project, is the structural move I said would make me revise. Treating integration as an operational capability with entitlement validation and governance controls, rather than as a per-project bespoke build, is the right architecture. I am watching the pricing. I am watching whether non-Ellucian identity layers are first-class citizens or footnote exceptions. The point-to-point era took a real bullet, though, and I want to be on record acknowledging it.

Ray's Corner

Every CIO I have talked to in the last six weeks can tell me their multi-factor authentication posture. Not one has been able to tell me how many non-human identities have API access to their student information system, who owns them, and what the revocation procedure is when the task is done. That is the gap. It is going to cost someone their job before the year is out.

So here is what I would tell a peer over coffee, and what I am going to keep telling them until the receipts stop showing up.

Make the list this week. Not next quarter. Not after the strategic plan refresh. This week. Pull every service account, every API key, every agent credential, every webhook endpoint, every machine identity that touches your student information system, your learning management system, your finance system, and your directory. Put a human name next to each one. If you cannot put a name, mark it for revocation and find out what breaks. If nothing breaks in seven days, kill it.

Then set expiry dates. Every non-human identity gets a calendar entry. Every renewal is an active decision, not a default. Every agent that gets commissioned this fall comes with an owner, a scope, a rotation schedule, and a sunset date written into the change request before the credential is ever minted.

This is not glamorous work. It will not make a conference keynote. It is the locksmith work. It is the difference between being the institution in next year's case study and being the institution that quietly does not show up in the breach reports because the agent that would have been the foothold got deprovisioned in June.

The calendar is short. Make the list. Name the owner. Set the expiry. Do it this week.

Take The Next Step

Primary: Get the QuickLaunch AI Agent Inventory Tracker the practitioner workbook for building your non-human identity inventory, ownership model, and revocation procedure. It is the list I just told you to make, with the columns already drawn.

Secondary: Subscribe to the QuickLaunch column. One post a week. The receipts as they arrive, the predictions on record, and the honest map I would draw for a peer.

References

• A University Just Got Breached Through a Stale AI Service Account QuickLaunch. https://quicklaunch.io/university-breached-stale-ai-service-account-ghost-accounts/
• CSA Research Note: AI Agent Governance Framework Gap Cloud Security Alliance. https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-agent-governance-framework-gap-20260403/
• The AI Governance Imperative You Can't Afford to Ignore CSO Online. https://www.csoonline.com/article/4176485/the-ai-governance-imperative-you-cant-afford-to-ignore-2.html
• Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform EdWeek. https://www.edweek.org/technology/deal-reached-with-hackers-to-delete-data-stolen-fom-the-canvas-educational-platform/2026/05
• The Canvas Breach Shows What Happens When SaaS Platforms Become Identity Infrastructure Aembit. https://aembit.io/blog/the-canvas-breach-shows-what-happens-when-saas-platforms-become-identity-infrastructure/
• Southeast Georgia State University Puts AI Agents to Work for Students and Staff Druid AI. https://www.druidai.com/case-studies/southeast-georgia-state-university-puts-ai-agents-to-work-for-students-and-staff
• Element451 Launches Bolt as the AI Agent Platform for Higher Education PR Newswire. https://www.prnewswire.com/news-releases/element451-launches-bolt-as-the-ai-agent-platform-for-higher-education-surpassing-60-million-ai-powered-student-journeys-302783355.html
• Ellucian Marketplace Accelerates Campus Innovation Ellucian. https://www.ellucian.com/newsroom/ellucian-marketplace-accelerates-campus-innovation-ready-deploy-saas-integrations
• Ethos Integration Hub, Banner Modernization Project 2025-2026 University of Hawaii. https://www.hawaii.edu/its-banner/communications/ethos-integration-hub
• OWASP Launches Agentic AI Security Guidance Infosecurity Magazine. https://www.infosecurity-magazine.com/news/owasp-agentic-ai-security-guidance/
• Secure Webhook Token (SWT) IETF Datatracker. https://datatracker.ietf.org/doc/draft-knauer-secure-webhook-token/01/
• OpenID Shared Signals Framework Specification 1.0 OpenID Foundation. https://openid.net/specs/openid-sharedsignals-framework-1_0.html

*Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential