Signal: A REN-ISAC advisory circulated in May 2026 describes an anonymized Tier 1 research university whose agentic AI rollout for research workflow automation generated 340 service accounts outside any existing IAM provisioning process — none governed, none in the directory, none subject to access review.
REN-ISAC Advisory 2026-04, "Ungoverned Non-Human Identity Proliferation in Agentic AI Research Deployments," circulated May 19, 2026, describes the case without naming the institution. A follow-on report in Inside Higher Ed, published May 28, publicly identified it as a Big Ten university. Reported but single-source; the institution has not confirmed the identification as of this writing.
The provisioning mechanism is where the risk lives. The university's AI platform team deployed a commercial agentic workflow tool to automate grant documentation processing and data pipeline management across several research computing clusters. The tool provisions its own service accounts as it spins up agents for each workflow task — by design, not by misconfiguration. The IAM team was not in the loop. The result: 340 service accounts with API-level access to research data systems, created over approximately six weeks, with no lifecycle management, no access review schedule, and no visibility in the institution's identity governance tooling.
The CSA State of Non-Human Identity Security 2025 found that NHIs outnumber human identities by an average of 45-to-1 in enterprise environments, and that 68% of NHIs in research-adjacent cloud environments have no documented owner. Agentic AI accelerates that ratio. Each agent instantiation is a provisioning event. Most campus IAM governance frameworks were not designed for provisioning events that happen at software speed.
The advisory's operational finding is direct: the university's existing IAM governance process ran on a 30-day review cycle for service account requests. The AI platform generated more service accounts in its first week than the IAM team typically processes in a quarter. The governance model assumed human-paced provisioning — a reasonable assumption, until agentic tooling made it obsolete.
The provisioning behavior described in the REN-ISAC advisory is not a bug in the specific tool the Big Ten institution deployed. It is how most commercial agentic platforms handle agent identity. The IAM governance conversation has to happen before the pilot goes to production, not after the service account count surfaces in an audit.
Access scope is what elevates this from a platform team problem to a CISO problem. These weren't sandbox accounts. Several had read access to research data repositories that the institution's own data classification policy designated as sensitive. The advisory does not specify whether any data was exfiltrated; it notes only that the access existed and was unreviewed for the duration of the deployment.
The pattern is already repeating. Agentic workflow tools are being evaluated or actively piloted at most R1 institutions right now.
Rep question: When you're sitting across from a campus CISO who has approved an AI initiative — any AI initiative — ask this: "When your AI platform provisions a service account to access a research system, does that event route through your IAM governance process, or does it go directly to the system owner?" How long it takes to answer tells you whether NHI governance is in place or assumed.