The trigger
It's the first check-in back from a long weekend. The IT Director is running through infrastructure updates, half-distracted by a ticket queue, and somewhere between a network refresh and a licensing true-up they drop it: "We've got a couple RPA bots running in procurement now" or "the team stood up a chatbot for the help desk." The comment lands between agenda items. They're already moving to the next slide.
Stop them here.
What the offhand comment actually tells you
An IT Director who mentions bots casually is revealing two structural facts: AI tools are running in production, and the person responsible for infrastructure didn't put them on the agenda. Both things matter. A 2026 CSA survey commissioned by Token Security found that roughly 80% of enterprises have AI agents operating in their environments that no one formally inventoried. (The exact figure varies by survey scope and sample; a separate CSA study puts the share of organizations unable to clearly distinguish human from AI agent activity at around two-thirds. Treat these as directional, not precise, but the direction is consistent across every source.)
The IT Director won't use those terms. They'll say "bots," "AI tools," "Copilot," or "automation." In federal environments, expect "AI-enhanced RPA" or "AI-enabled copilot." In SLED, expect "virtual agent" or simply "the AI tool someone in [department] set up." Your job is to translate their vocabulary into questions that surface the identity and access gaps underneath. What you're really sizing is an unmanaged population of automated tools that authenticate, access data, and take actions across the IT Director's environment, and that population is growing faster than any governance process was designed to handle. That's a real problem for the account, and the IT Director is the person who'll feel it first.
The questions below cover four domains. Each one includes what a revealing answer sounds like versus a polite deflection. Weight your attention on the response-reading: your real leverage in this conversation comes from interpreting what you hear, and the companion context below is built accordingly. Be blunt with yourself about disqualification signals.
What's running that nobody inventoried
"Beyond the ones you just mentioned, do you have a sense of how many AI tools or bots are connecting to your systems across departments?"
Why this works for this persona: You're acknowledging what they already know and asking about the periphery. The IT Director's incentive is to appear in control of their environment. This question gives them room to demonstrate that control or to admit the picture is incomplete, without framing the gap as a failure.
How to read the response: A revealing answer sounds like: "I know about the ones my team set up, but I couldn't tell you what [other department] is running." That's a visibility gap stated voluntarily. The CSA/Token Security survey found that shadow agents enter through multiple channels:
- Internal automation and scripting environments (51%)
- LLM platforms and plugins (47%)
- SaaS tools with built-in automation (40%)
- Developer-created workflows (40%)
In SLED environments the gap is structural: as a practitioner writing in StateTech described it, someone can install an AI agent on an inexpensive desktop, connect it to cloud services, and give it access to email and internal systems without IT ever knowing. The tools arrive through departmental purchases, not through the IT Director's procurement process.
A polite deflection sounds like: "Yeah, we've got a good inventory of everything." If they say this confidently but couldn't name the bots thirty seconds ago, the confidence is about their general IT hygiene, not about AI tools specifically. One follow-up: "Are those tracked in the same asset inventory as your other infrastructure, or is there a separate process for automation tools?" A vague answer here means you have a potential gap. Note it and move on.
Disqualification signal: A current, maintained inventory of every bot and automation tool, including what each connects to. Rare, but it happens in mature federal environments with established RPA programs. If they have it, this domain is closed.
Federal vs. SLED: Federal IT Directors are more likely to know about bots that came through agency automation programs — the GSA's Federal Automation Community tracks over 3,000 use cases. The shadow problem in federal environments tends to be developer-created workflows and API integrations that bypass the formal program. In SLED, the shadow problem is broader: tools arrive through individual initiative, and the IT Director may genuinely not know what's running in a department two floors away.
How these tools authenticate
"When one of these bots connects to a system, does it have its own credentials, or is it using someone's account?"
Why this works: Most IT Directors have never been asked this. The bot was set up to do a job. Whether it authenticates as itself or as the person who built it was often not a consideration at deployment time. The question is plain enough to answer immediately, which is exactly what makes the pause so informative.
How to read the response: If the IT Director has to think about it, the answer is almost certainly that the bot uses a human's credentials or a shared service account, because a dedicated credential would be something they'd remember provisioning. CSA research found roughly a third of organizations allow agents to operate under human user identities; another 40% or more rely on shared service accounts. The bot either looks like a person in every system it touches, or it shares a generic login with an unknown number of other automations.
Revealing answers open naturally into follow-ups. "It's using a service account we set up" — who else uses that account? "I think it's running under [person's name]'s credentials" — what happens to the bot if that person leaves or changes roles? That offboarding scenario is where the real exposure lives: 68% of organizations do periodic permission reviews, but only 21% have a formal decommissioning process for AI agents. The reviews happen. The retirement process, for most organizations, was never built. If the person who provisioned the bot departs, the bot typically keeps running under their credentials with no trigger to revoke access.
When you hear a deflection, it usually sounds like: "We follow our standard access policies for all tools." Standard access policies were written for humans. Press gently: "And are those credentials on a rotation schedule, or more of a set-it-and-forget-it situation?" Roughly one in three organizations isn't sure how often bot credentials are rotated; nearly one in ten report credentials are rarely or never refreshed.
Disqualification signal: Dedicated, individually scoped credentials for each bot, on a documented rotation schedule, with a named owner responsible for each credential. If they describe that setup without hesitation, the credential lifecycle is managed. Move to the next domain.
Federal vs. SLED: Federal environments with mature RPA programs are more likely to have provisioned dedicated service accounts through a formal process. The credential lifecycle problem there is rotation and monitoring, not creation. In SLED, the more common pattern is that the bot inherited whoever built it's credentials, and nobody documented the dependency.
Whether agent actions show up in audit trails
"If you needed to pull an audit trail for one of these bots — say, for a compliance review — could you separate its activity from regular user activity in your logs?"
Why this works: You're framing this as a compliance question, not a security accusation. IT Directors in government environments live with audit requirements. The question is whether their logging infrastructure can answer the question a compliance reviewer would actually ask.
How to read the response: The honest answer in most environments is no. When a bot runs under a human's credentials, the log shows the human's name. When it runs under a shared service account, the log shows a generic label with no attribution to a specific automation. An IT Director who says "that's a good question, I'd have to check" is giving you the real answer.
A common deflection: "Our SIEM captures everything." Capture and attribution are different problems. The SIEM records every event, but bot activity and human activity look identical in the log. If they cite their SIEM confidently, ask: "And in those logs, would the bot's actions show up under its own identity, or under the account it's using?" That question separates useful logging from voluminous logging.
Disqualification signal: Bot actions tagged, attributed, and separable from human actions in the current logging setup. If they can show you that, move on.
Federal vs. SLED: Federal environments face stricter audit requirements (FISMA, agency-specific mandates), which means the IT Director is more likely to have thought about log attribution — and more likely to feel the pain of not having it. In SLED, compliance postures vary widely by state and agency. A SLED IT Director may not have been asked to produce a bot-specific audit trail yet, which means the gap exists but hasn't been felt. Your question may be the first time they've considered it.
What happens when a bot is retired
"For the bots you've already retired or paused — what happened to their access and credentials when they were shut down?"
Why this works: The past tense is deliberate. You're asking about something that already happened, not a hypothetical process. Most organizations have retired at least one automation pilot. The answer to "what happened to its credentials" is usually nothing.
How to read the response: CSA researchers describe "retirement debt" as what accumulates when agents are decommissioned but their credentials persist — in configuration files, environment variables, and secrets stores. The agent stops running. The credential stays active, often indefinitely. The 2026 Verizon DBIR flagged service and machine accounts as the identity class most likely to be leveraged in an agentic AI future, and persistent credentials from retired bots are the simplest version of that exposure.
If the IT Director says "we just turned it off" or "we stopped the process," follow up: "And the account or credentials it was using — were those revoked at the same time, or are they still active?" That gap between stopping a bot and revoking its access is exactly what you're here to surface.
A revealing answer: "I honestly don't know if we cleaned up the credentials." That's a concrete, scoped problem the IT Director can act on. You've arrived at something real.
Deflections here tend to sound like: "We have a standard offboarding process." Ask whether that process covers automation tools or only human employees. In most organizations, the offboarding checklist was built for people.
Disqualification signal: A documented process that includes credential revocation, permission removal, and verification for retired bots. This is a mature environment. The opportunity shifts from gap-filling to scaling what they've built. Different conversation, probably a different stakeholder.
Federal vs. SLED: The difference here is less about regulatory posture and more about institutional memory. Federal agencies with formal RPA programs may have a decommissioning checklist, even if it's incomplete. SLED environments, where bots were stood up by individual departments, are less likely to have any process at all — and the person who built the bot may have already moved on.
The signal that matters most
Across all four domains, the single most important thing you'll observe is the pause. When an IT Director pauses before answering a question about their bots, they are doing the mental work of realizing they don't have the answer. That pause is worth more than any statistic you could cite.
Your job in that moment is to let it land. Let them arrive at the gap themselves, then ask what solving it would look like. The transition from discovery to opportunity only works if the IT Director owns the conclusion.
If you get confident, specific answers across all four domains, you're talking to someone who has already solved the problem or doesn't have one. Note it and move on. Spend your time on the account where the IT Director said "that's a good question" three times in ten minutes.
Things to follow up on...
- Agents that exceed scope: A CSA/Zenity survey from April 2026 found that 53% of organizations have had AI agents exceed their intended permissions, and when incidents occur, detection and response times stretch to hours or days.
- NIST standards in motion: NIST launched its AI Agent Standards Initiative in February 2026, with forthcoming SP 800-53 control overlays for single-agent and multi-agent systems that will shape how federal agencies are expected to govern agent identity.
- The ownership fragmentation problem: CSA/Aembit research found that only 9% of organizations assign primary AI agent identity ownership to IAM teams, with responsibility scattered across security (28%), development (21%), and IT (19%) — meaning nobody fully owns the problem.
- SLED agencies moving past pilots: NASCIO's executive director confirmed that state agencies are now deploying AI chatbots, virtual agents, and productivity tools in production, which means the IT Director's offhand mention of a bot is more likely describing an operational system than an experiment.