The AI agent identity market is running the same sequence, faster.
CISA guidance and the OMB update matter, but they arrive downstream of the deployment decisions already being made. The variable that decides the architecture contest is the organizational gap between business-unit AI adoption timelines and central IT governance timelines. Business units are approving AI agent deployments in 3–6 month procurement cycles. Central IT governance teams are running 18–24 month review cycles. The gap is structural, and it is being filled, right now, by platform-native identity.
Every quarter that gap persists, the installed base of platform-native AI agent identity grows. Every deployment that goes live before the governance mandate arrives is a deployment that the mandate will have to either exempt or force into a costly migration. The historical pattern is consistent: mandates exempt the installed base. The architecture question gets answered by default, and the governance standard arrives into a market that has already decided.
The four platform moves documented elsewhere in this issue are installed-base accumulation events, full stop. Each one provisions AI agent identities into a platform-native credential store before central IT governance has reviewed the deployment. The aggregate effect, across thousands of enterprise deployments, is a fait accompli.
The Loops
Loop 1: The Shadow Deployment Accumulation (Reinforcing)
Business units discover that AI agents embedded in their workflow platforms — Salesforce's Agentforce, ServiceNow's AI agent framework, comparable offerings from enterprise cloud vendors — can be provisioned and deployed without engaging central IT governance. The platform handles authentication natively. The business unit gets productivity gains. Central IT discovers the deployment 9–12 months later, during an audit or a security review, by which point the agent is running production workflows and cannot be taken offline without disrupting the business.
The delay is structural: business-unit procurement cycles run 3–6 months; central IT governance cycles run 18–24 months. The gap is 12–18 months of unreviewed deployments accumulating in the installed base. An internal survey of Fortune 500 IT governance teams conducted by the Enterprise Strategy Group in Q1 2026 found that 67% of respondents reported discovering AI agent deployments in their environments that had not been reviewed by central IT — up from 41% in the same survey 12 months earlier.
Loop 2: The Workflow Entrenchment Cycle (Reinforcing)
Once an AI agent is running a production workflow, its identity is inseparable from the workflow. The agent's credentials are provisioned by the platform that runs the workflow; the agent's access permissions are defined by the platform's native role model; the agent's audit trail is stored in the platform's native logging system. Migrating the agent to a centralized identity governance framework requires rebuilding the credential, the permission model, and the audit trail — which requires rebuilding the workflow. The switching cost, in other words, is measured in workflow disruption, not credential migration. The longer an agent runs in production, the more deeply its identity is embedded in the workflow's operational logic, and the higher the switching cost becomes.
Loop 3: The Mandate Scope Compression (Reinforcing)
Governance mandates that arrive into a large installed base face a consistent political economy problem: the installed base represents deployed capital, running workflows, and organizational dependencies. Mandating retroactive compliance would require agencies and enterprises to either migrate or terminate deployments that are delivering business value. That choice consistently resolves in favor of exemption. The mandate gets scoped to new deployments only, which means the installed base is permanently exempt, which means the governance standard applies to a shrinking fraction of the total AI agent population as the installed base continues to grow.
The CMMC precedent is instructive. The final CMMC 2.0 rule, published in 2024, included a phased implementation timeline that effectively grandfathered existing contractor systems for 3–5 years. The NHI governance mandate is likely to follow the same pattern. Regulators aren't captured; the political economy of disrupting running production systems is simply prohibitive.
Loop 4: The Platform Bundling Economics (Reinforcing)
Platform vendors have a structural incentive to include AI agent identity governance as a zero-marginal-cost feature. The marginal cost of adding governance capabilities to an existing platform identity layer is low; the competitive benefit of making standalone governance tools unnecessary is high. As platform vendors bundle governance features into their base offerings, the price competition facing standalone tools intensifies, which reduces their addressable market, which reduces their R&D investment, which widens the capability gap between platform-native and standalone governance, which makes platform-native governance more attractive to buyers.
Salesforce's Q1 2026 earnings call included a disclosure that Agentforce's identity and governance layer would be included at no additional cost for Enterprise and Unlimited tier customers. That pricing move directly undercuts the standalone governance tool market for Salesforce-native agent deployments — and it signals the direction of travel for every major platform vendor with a comparable agent offering.
Batch Clusters
Batch 1: The Shadow Deployment Accumulation
Driver: Loop 1
The installed base of platform-native AI agent identity is being built now, before the governance mandate arrives. This batch resolves when the installed base crosses the threshold at which retroactive compliance becomes politically and operationally infeasible.
Outcomes:
- By Q4 2026, more than 60% of AI agent deployments in Fortune 500 companies are provisioned through platform-native identity stores rather than centralized IAM systems
- Central IT governance teams report an average 9–12 month lag behind business-unit AI deployments in at least two major enterprise vertical surveys by Q2 2027
- Platform-native AI agent identity becomes the de facto standard in financial services, healthcare, and manufacturing verticals before any federal mandate is finalized
Probability: 68–75% for the batch. The governance lag outcome is the highest-confidence individual outcome at approximately 80%, based on the ESG Q1 2026 survey trend line. The 60% platform-native threshold is lower at roughly 62%, because the figure depends on how "platform-native" is defined in survey methodology — a definitional dispute that vendors have every incentive to exploit.
Timeline confidence: Already in progress; batch resolves by Q3 2027.
Leading signals: Enterprise IAM team headcount relative to AI deployment velocity; platform vendor reported agent deployment numbers; CIO survey data on governance lag; ESG and Gartner enterprise identity survey results in H2 2026.
Batch 2: Workflow Entrenchment
Driver: Loop 2
Platform-native identity becomes load-bearing in production workflows, making migration to centralized governance operationally prohibitive without full workflow redeployment.
Outcomes:
- By Q4 2027, at least 40% of enterprise AI agents are running production workflows where the platform credential is load-bearing and cannot be migrated without workflow disruption
- At least two major platform vendors publish documentation explicitly stating that their AI agent identity architecture is not designed for external governance framework integration
- Enterprise IT teams report that retrofitting centralized governance onto existing agent deployments requires full redeployment in at least 70% of cases, based on pilot program data
Probability: 58–65% for the batch. The load-bearing credential outcome is the highest-confidence at approximately 70%; the platform documentation outcome is lower at roughly 50%, because platform vendors have incentives to claim interoperability even when the practical switching cost is high. The gap between what vendors say in partner documentation and what their integration teams say in implementation guides is the tell.
Timeline confidence: 18–30 months (resolution window: Q4 2026 to Q4 2028).
Leading signals: Platform vendor API documentation and integration partner announcements; enterprise IT migration project completion rates; platform vendor partner ecosystem announcements about governance integration; implementation consultant job postings citing NHI migration complexity.
Batch 3: The Fait Accompli Standard
Driver: Loop 3
When the governance mandate arrives, it is scoped to new deployments only, exempting the installed base and locking in the fragmented architecture for the lifetime of existing deployments.
Outcomes:
- OMB M-22-09 update, when finalized, includes a phased implementation timeline that exempts existing federal AI agent deployments for at least 24 months
- CISA NHI guidance, when finalized, explicitly applies only to deployments initiated after the guidance effective date
- The governance standard, as implemented, covers less than 35% of the total AI agent installed base in federal civilian agencies within 12 months of publication
Probability: 52–60% for the batch. The phased implementation outcome is the highest-confidence at approximately 68%, based on the CMMC precedent and the consistent pattern of OMB implementation timelines accommodating existing deployments. The 35% coverage threshold is harder to assess because federal deployment counts are not publicly disclosed — the figure could be higher or lower depending on how agencies count agents provisioned through platform-native stores.
Timeline confidence: 24–36 months.
Leading signals: OMB M-22-09 draft language on retroactivity and implementation timelines; CISA guidance scope definitions; agency implementation plan timelines published in response to OMB guidance; OMB comment period responses from federal agencies citing implementation burden.
Batch 4: Platform Bundling Economics
Driver: Loop 4
Platform vendors price standalone governance tools out of the market by including governance capabilities at zero marginal cost, consolidating the market around platform-native approaches before the federal mandate creates a captive buyer pool for standalone tools.
Outcomes:
- At least four major enterprise platform vendors include AI agent identity governance as a standard feature (not an add-on) by Q4 2026
- Standalone NHI governance tool adoption stalls in enterprise segments where platform-native alternatives exist, with net new ARR growth falling below 15% annually by 2027
- Enterprise procurement teams consolidate AI identity governance into platform contracts rather than standalone tools in at least 50% of new procurement cycles by Q4 2027
Probability: 62–70% for the batch. The platform bundling outcome is the highest-confidence at approximately 75%, given Salesforce's Q1 2026 pricing move and the competitive pressure it creates on every other major platform vendor. The standalone tool stall is lower at roughly 55%, because federal and regulated-industry buyers may continue to require standalone governance for compliance reasons — creating a two-tier market where the compliance layer survives in regulated verticals while losing the broader enterprise.
Timeline confidence: 12–24 months.
Leading signals: Platform vendor product announcements and pricing changes; NHI pure-play vendor revenue growth rates and customer acquisition costs; enterprise software contract consolidation data from Gartner and IDC; platform vendor partner program changes affecting governance tool integrations.
Batch Summary
| Batch | Driver | Probability | Timeline |
|---|---|---|---|
| Shadow Deployment Accumulation | Loop 1 | 68–75% | Resolves by Q3 2027 |
| Workflow Entrenchment | Loop 2 | 58–65% | 18–30 months |
| Fait Accompli Standard | Loop 3 | 52–60% | 24–36 months |
| Platform Bundling Economics | Loop 4 | 62–70% | 12–24 months |
Horizon Markers
If Batch 1 resolves by Q3 2027, the installed base problem is real: central IT governance is structurally behind the deployment curve, and the governance mandate will arrive into a market where the majority of AI agent identities are already platform-native and the remediation cost is measured in workflow disruption, not credential migration.
If Batch 2 resolves by Q4 2027, the switching cost argument is no longer theoretical. Platform-native identity is load-bearing in production workflows, and the compliance layer's path to displacement runs through workflow migration — a materially harder sell than a credential migration, and one that most enterprise IT teams will not make unless forced.
If Batch 3 resolves by 2028, the governance mandate has been scoped to avoid disrupting the installed base, and fragmentation is the permanent architecture for the majority of deployed AI agents. The compliance layer wins the new deployment market; the platform-native layer keeps the installed base. In a contest over leverage, the installed base wins.
If Batch 4 holds through 2027, the window for a compliance-layer-dominant architecture closes faster than the regulatory timeline suggests. The standalone governance market loses its pricing power before the federal mandate creates a captive buyer pool, and the platform-native layer wins the economics before the policy contest is settled.