
A university got breached this quarter through a service account nobody remembered creating.
It wasn't a sophisticated attack. There was no novel exploit, no nation-state actor, no zero-day worth a CVE number. Someone had stood up a chatbot pilot a year earlier. The pilot ended. The chatbot got quietly retired. The credentials it used to talk to internal systems stayed enabled, with the same permissions, sitting in a config file on a server nobody was watching anymore. A bad actor found the key. The key still worked. The story wrote itself from there.
I put a prediction on the record at the start of this year. I said AI identities would cause major harm at two or more high-profile institutions inside twelve to eighteen months. One is now on the board. Six months ahead of schedule.
The reason I'm writing about it isn't to take a victory lap. I hate this prediction landing. The reason I'm writing about it is that the breach vector is the most boring thing in the world. It's a ghost account. We've been documenting ghost accounts in higher ed since 2015. The only difference this time is the account belonged to an agent instead of a person, and the label on the org chart said "AI pilot" instead of "adjunct who left in spring."
Ghost agents are ghost accounts wearing a hoodie. Same lifecycle failure. New marketing.
The structural backdrop for this breach should worry anyone in a budget meeting this quarter. Machine identities now outnumber human identities by ratios on the order of forty thousand to one in a typical environment, and they carry roughly seven and a half times the risk profile of human accounts. Forty percent of non-human identities sitting in the average enterprise are unused but still enabled. That's CyberArk's number, repeated by Infosecurity Magazine and CybersecurityTribe in their non-human identity coverage.
Then layer on what's actually running on campuses right now. Internet-wide scanning in early 2026 found 1,862 Model Context Protocol servers exposed to the public internet. Every verified sample permitted unauthenticated access to internal tool listings. That's CSO Online's reporting, and it's not a theoretical risk surface. It's a list of doors propped open in production.
If I'm sitting at a budget meeting Tuesday and the provost asks how the AI strategy is going, the honest answer is not "we have agents running." The honest answer is "we have agents running, and I can name three of their owners, and the other twenty-seven were standing up before we wrote the policy." Then the next question is whether you can do anything about that before the second name lands on my Prediction #4 list.
Three of the four major higher-ed application vendors shipped AI announcements this quarter. Ellucian launched Ellucian Student as a unified AI platform for higher education and published a 2026 AI adoption report. Workday was named a Leader in the 2026 Gartner Magic Quadrant for higher-ed student information systems and announced a Workday Data Cloud integration with AWS. Jenzabar has been pushing AI capabilities into its product line on a parallel track.
None of them shipped agent governance.
I want to be careful here, because QuickLaunch is a certified Ellucian partner and I am not pretending otherwise. The vendor announcements are real product. The integrations exist. The AI features will land on campuses. The criticism is structural, not personal. When an AI agent acts on a student record, the questions a CIO needs answered are: whose identity is the agent acting under, who owns the deprovisioning when the agent retires or when the human owner separates, and what's the audit trail when the agent gets it wrong. In-application AI cannot answer those questions because the answers live between the applications, not inside them. EDUCAUSE's June piece made exactly this argument: the integration and governance maturity question is the one institutions are dodging.
This is Prediction #8 advancing in slow motion. In-application AI bundled into SIS and ERP platforms will underperform expectations because the lifecycle is where the work happens, and the lifecycle crosses every system on campus. The integration layer is where the proof shows up. Or doesn't.
EdTech Magazine covered SUNY's system-wide AI policy this month. Most identity newsletters will skip it because it reads like compliance paperwork, and that's a mistake. SUNY just handed every higher-ed CIO in the country a template to negotiate against their general counsel without having to build it from a blank page.
The point is not to copy SUNY. The point is to use SUNY as the forcing function that gets the registrar, the chief information security officer, the provost, and the data team in the same room before the third faculty member quietly spins up a Claude project trained on a class roster. EDUCAUSE's March piece on shadow data made the case in adjacent terms: when governance is unclear, users build workarounds, and the workarounds create FERPA-adjacent data flows that nobody sanctioned and nobody can find.
Policy is how Prediction #4 doesn't happen at your institution. Specifically, written policy that names three things for every AI agent on campus:
If you can't fill those three blanks for every agent running on your network today, you have ghost agents. You just haven't been breached yet.
There's a more hopeful thread in the research this quarter. EdTech Magazine documented autonomous AI networking platforms in higher ed with self-detect, self-heal, self-configure capability, with Juniper claiming up to nine times faster deployment, ninety percent fewer trouble tickets, and up to fifty percent less time to resolution. EDUCAUSE covered the University of Louisiana System's data warehouse automation work with explicit self-healing remediation patterns at the data layer. GovTech named 2025 the year of automated remediation.
Self-healing is real in networking. It's real in data warehousing. It is not yet real in identity lifecycle, and that gap is the next eighteen months of work for everyone serious about this category. A stuck provisioning job retried automatically with context. A failed access grant rolled forward instead of dropped on the floor. A stale agent credential rotated before a security analyst has to read the ticket. That's the version of self-healing identity that matters, and the vendor who ships it first, honestly, with audit trails a CISO can defend, is the vendor who earns the next decade of higher-ed business.
We're building toward that. So is everyone else who's honest about what one quarter of agentic deployment actually feels like.
Here's the part most CIOs will skip, and shouldn't. The OAuth working group at the IETF has been shipping drafts that directly address how AI agents authenticate and authorize against systems they don't own. The AI Agent Authentication and Authorization draft was updated June 1. The Updates to OAuth 2.0 Security Best Current Practice draft was revised June 25. A separate draft on security considerations for Model Context Protocol implementations was also updated June 1.
This is the plumbing that will determine, two procurement cycles from now, whether your AI agents can talk to systems outside your tenant without you handing out long-lived shared secrets like Halloween candy. Attestation-based client authentication. Session-bound tokens. Agent authorization profiles. Microsoft Entra has already shipped workload identity federation patterns and pre-authorized MCP server examples aligned with this direction.
The vendors who implement this work first are the ones I would shortlist. The ones who don't are the ones who will quietly recommend you create a service account with "a few extra permissions just for the agent." That's the failure mode. That's the breach we opened with.
I keep coming back to the same image. A CIO walks into the budget meeting, the provost asks how the AI strategy is going, and the CIO says "great, we have agents running." Nobody asks the next question. Whose identity are the agents acting under. Who owns the deprovisioning. What happens when one of them is wrong.
The breach we covered up top didn't happen because the institution was negligent. I want to be clear about that, because the institution is not the villain of this story. The breach happened because the questions were not on the agenda. There was no agent inventory. There was no owner field on the pilot ticket. There was no deprovisioning checklist when the pilot wound down. The pilot ended on a Friday in October, the team celebrated, the team moved to the next thing, and the credentials kept working until somebody who didn't go to the celebration found them.
I built an identity system at a small Arizona university in 1996. We called it Login Manager. We thought we had solved the lifecycle problem because we could provision a student in under a minute and deprovision them on the day a status change hit the SIS. Twenty-eight years later, I've watched institution after institution rebuild that same system from scratch, then watch it drift the moment the original team rotated out. The lifecycle is a discipline, not a project. Agents are about to make it ten times harder.
Put the three questions on your agenda this week. Owner. Data class. Deprovisioning trigger. For every agent. Before the second name lands on Prediction #4 and one of you reading this has to call your general counsel before lunch.
If you want the framework we use with institutions to inventory the agents already running on campus and assign owners before the auditor does, request the AI Agent Inventory Tool. It's the practitioner workbook version of this column, and it's built for the budget meeting, not the conference room.
Or subscribe to the QuickLaunch column and we'll bring next week's argument straight to your inbox.
Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential