Gartner published its first-ever Market Guide for Guardian Agents in February, authored by analysts Avivah Litan and Daryl Plummer, formally recognizing AI agent governance as a distinct enterprise security category. The move signals that identity and access management for autonomous agents has graduated from theoretical concern to procurement priority.
The report defines guardian agents as technologies “managing the identities/access for AI agents with zero-trust policies and governance,” according to Delinea’s announcement of its inclusion as a Representative Vendor. Gartner’s framing is direct: “emerging frameworks treat AI agents as high-privilege, nonhuman identities requiring continuous behavioral monitoring and just-in-time access controls to address gaps in traditional IAM systems.”
Why Traditional IAM Falls Short
The structural problem is scope. Traditional identity systems were built for human users who log in, perform tasks, and log out. AI agents operate continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed.
Orchid Security’s analysis estimates that roughly half of enterprise identity activity already occurs outside centralized IAM visibility. The company calls this “identity dark matter”: local accounts, undocumented authentication paths, and application-native access controls that governance tools have never inventoried. When AI agents inherit or create identities within those blind spots, security teams have no audit trail.
Strata’s research frames the scale challenge bluntly: in some enterprise environments, AI agents may outnumber human identities 80 to 1. Each agent requires its own credentials, delegation chains, and just-in-time access scoping. Static service accounts cannot keep pace.
The Vendor Scramble
The Gartner report has triggered a positioning rush. Delinea, already a seven-time Leader in Gartner’s Privileged Access Management Magic Quadrant, announced its inclusion in the Agent Identity subcategory. CEO Art Gilliland told reporters that “AI agents are privileged users inside enterprise environments, accessing sensitive data, connecting to critical systems, and executing at a speed no human can monitor.”
Orchid Security’s platform takes a different approach, applying identity observability at the application layer through binary analysis and dynamic instrumentation. Rather than monitoring login events at the perimeter, it inspects authentication and authorization logic inside applications directly.
Strata’s Maverics Agentic Identity product focuses on OAuth orchestration, providing just-in-time identity provisioning that creates agent credentials per task and retires them immediately after.
Forbes flagged Gartner’s assessment that failure to address AI agent identity and governance ranks among the top cybersecurity trends to watch in 2026. That assessment predates the recent wave of agent security incidents, including the CLI-Anything supply chain attack and Cisco’s $400M acquisition of Astrix for non-human identity management.
The Procurement Signal
The creation of a standalone Gartner market category changes purchasing dynamics. Enterprise buyers now have analyst backing to budget for guardian agent tools as a line item, separate from traditional PAM or IAM spend. For vendors in the space, inclusion in the Market Guide functions as a shortlist accelerator.
The open question is whether the guardian agent category consolidates into existing security platforms or remains independent. Cisco’s Astrix acquisition suggests the former. Orchid and Strata’s standalone positioning bets on the latter. Either way, the gap between agent deployment velocity and identity governance capability continues to widen with each enterprise rollout.