
A few weeks ago I was on a call with a CIO at a mid-sized private university. Good school. Serious team. She was walking me through their generative AI rollout, which by her count now included a student-facing chatbot, three departmental copilots the deans had procured without telling her, a research computing agent that touched their grants system, and something the registrar's office was piloting that could apparently move records around on its own.
I asked her the question I ask every CIO now. Simple question. Who owns those identities?
She paused. She said, "You mean the users?"
No. I mean the agents. The things doing work on your campus when nobody is looking.
She didn't have an answer. Not because she's careless. Because nobody on her team had made a decision. Somewhere in the last twelve months, six or seven service accounts got spun up, each one glued to a different tool, most of them read-only "for now," all of them owned by whichever admin happened to be closest to the keyboard the day the vendor demo went well. That is a philosophy. It is just not a philosophy anyone stood up in a meeting and defended.
Here is the receipt I keep coming back to. Gravitee's State of AI Agent Security 2026 found that only 21.9% of teams treat AI agents as independent, identity-bearing entities. The other 78.1% run agents under inherited human accounts or shared service identities. Nearly half wire agent-to-agent traffic with shared API keys. Four out of five teams have already made a choice, and the choice is don't choose.
That is not a technology gap. That is the ghost account pattern with a new coat of paint, and higher ed has been failing at that pattern for twenty years.
I have spent most of my career watching institutions rebuild the same identity mistake with new fonts. Manual. Delayed. Forgotten. Orphaned. Those are the four states of legacy provisioning, and every campus I have worked with has all four of them living somewhere in Active Directory right now. A student who left in 2019 still has a mailbox. A contractor who onboarded in 2022 still has VPN access. A service account nobody remembers creating still has read on the student information system.
The agent layer inherits all of it. Worse, it accelerates all of it.
EDUCAUSE said the quiet part loud in their April 2026 Hotline. They described a campus environment where agents are being provisioned by central IT, by academic departments, and by individual faculty, producing what they called "shadow AI agents whose identities and privileges are opaque to institutional governance." That is EDUCAUSE, not a vendor blog. When the sector's own membership organization is naming shadow agents as a governance problem, we are past the point where a CIO gets to say "we're still figuring out our AI strategy."
Isaac Galvan at EDUCAUSE put it in plainer language when he spoke to EdTech magazine in June. Agentic AI, he said, "creates an identity and access management challenge because it can blur the line between a human user and a technology acting on that user's behalf." That blur is where governance goes to die. If your access review can't tell whether a login was a person or a script pretending to be a person, your access review is theater.
I made a prediction on the record last year that AI identities would cause major harm at two or more high-profile institutions inside twelve months. That prediction landed this spring. A major university got breached through a compromised autonomous AI service account that had been provisioned with broad access so the agent could work at machine speed across student, faculty, and research records. An attacker used it for lateral movement and data exfiltration. Nobody caught it until eventual revocation, and by then the damage was done. In a separate incident, a campus chatbot got hijacked and used to pull partial transcript data through inherited permissions. Two incidents. Same reporting cycle. Same pattern.
Sector-wide, 65% of firms report AI agent-related security incidents and 88% acknowledge at least one agent breach. The agent didn't invent a new failure mode. It just inherited yours, at machine speed, with a bigger blast radius.
The other prediction I put on the record was that capability would arrive before the how-to-implement. That one is landing every week now.
Ellucian announced Ellucian Student, described as higher education's complete solution built on an "AI-native SaaS platform" with "agentic AI designed specifically for higher education." I want that product to succeed. QuickLaunch is a certified Ellucian partner and their success is our success. But I looked hard for the documentation on how those agents get assigned identities, how they get scoped, how a campus IAM team governs them at the institutional layer, and I could not find it. Workday's Agent System of Record promises "precise identity permissioning" and centralized agent management, and I believe them, but I also cannot point a CIO at implementation guidance her team could actually use next Tuesday.
Microsoft is furthest along. Entra Agent ID ships as a first-class non-human identity type with Conditional Access support. That is the right architectural direction. But within weeks of its rollout, Silverfort documented a scope-overreach incident where an Entra Agent ID administrator scope led to service principal takeover. First-class identity type. Real capability. And the first real-world incident inside a quarter of shipping.
None of that is failure. That is the pattern. Platform gets there first. Institution is left figuring out what to do with it. If your student information system vendor is now your default agent identity authority, you have surrendered governance to a product team whose scope ends at their application boundary. That is not a criticism of any one vendor. That is a structural fact about where identity strategy belongs, and it belongs with you.
Microsoft's June 30 security advisory named something the rest of the industry needs to internalize. Least privilege is not enough anymore. They coined the term least agency, which is exactly right. A properly scoped agent with too much autonomy is still a control plane for exfiltration. Microsoft documented observed attacks where trusted AI agents were converted into data-loss control planes through poisoned Model Context Protocol tool calls.
Read that again. Trusted agent. Poisoned tool. Data loss.
If your campus does not have an inventory of the tool endpoints your agents can call, you have shadow integrations connecting your student data to language model tool calls you cannot see. That is a governance failure, not a technology failure. Every tool endpoint your agent can reach is a production dependency. Every one of them needs an owner, a scope, an expiry, and an audit trail. If that sounds like the identity lifecycle work you have been trying to finish for humans, congratulations. It is.
There is one more thread I have to pull, because most identity newsletters will skip it.
The bot that submitted fifty fake FAFSAs to a California community college in two seconds was not agentic. It was a script. The California Community College system is running at a 26% fraud rate across 1.2 million applications. The Lassen district hit 65% fake applications. Those numbers exist because scripted bots outran human review.
WCET raised the question in their March essay: what happens when those scripts become agents that hold sessions, respond to challenges, iterate against multi-factor prompts, and enroll in courses to draw down financial aid? The 26% fraud rate becomes a floor, not a ceiling. Community colleges are the frontline and they are the most under-resourced institutions in the sector. This is where the prediction on ghost accounts and financial-aid fraud stops being a slide in my deck and becomes a Title IV compliance problem for a president who did not sign up for a cybersecurity career.
This is the part where I owe you a path, not just a diagnosis.
Name every non-human identity on your campus. All of them. The service accounts, the API keys, the agent credentials, the copilot tenants your deans stood up without telling you. If you cannot inventory them, that is your first project.
Give every non-human identity an owner. A human name. Not a distribution list. A person who will get the ticket when the account misbehaves.
Give every non-human identity an expiry. If it does not have a renewal date, it is a ghost account waiting to happen. Ninety days is not aggressive. Ninety days is minimum.
Publish a policy for who can provision an agent, under what scope, with what tool access. Then enforce it. If your registrar's office spun up an autonomous agent last month, you already know the enforcement gap.
And if you cannot inventory, own, or expire something, kill it and see what breaks. That is how you find the shadow integrations. It is uncomfortable. It also works.
I keep coming back to that 21.9% number. Barely one in five teams treats an AI agent as an identity worth naming. The other four hand it a service account, wave it through, and hope.
I know what that looks like because I have been on planes for twenty-five years watching institutions rebuild the same identity mistake with new fonts. In 1998 it was NT domain accounts nobody deprovisioned. In 2008 it was Active Directory service accounts with domain admin rights and no rotation. In 2018 it was OAuth application registrations that could read everything in a tenant because "we might need it later." Now it is agents.
The mistake is not the technology. The mistake is naming things by accident.
Name every non-human identity on your campus. Give it an owner. Give it an expiry. If you cannot, kill it and see what breaks. That is not a demo pitch. That is the work. It is what I did in 1998 with Login Manager at a small university in Arizona, and it is what I would do again on Monday morning if I were sitting in your chair.
Pick a philosophy on purpose. Because if you don't, you already picked the one where nobody has to name anyone, own anything, or answer for what the agent did last Tuesday.
Download the QuickLaunch AI Agent Inventory Tool. It is the framework we use with QuickLaunch Advisory Council institutions to inventory, own, and govern non-human identities before they become the next breach headline.
Or Subscribe to the QuickLaunch column. One post a week. No fluff.
Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential