Gartner's 2026 Hype Cycle for Digital Identity just did something worth paying attention to.
For the first time, two capabilities that sit at the core of what aizome is building - AI Agent Identity and Intent-Based Access Control - appear as named innovations on the most widely cited technology adoption framework in enterprise IT.
AI Agent Identity: High benefit. 2-5 years to mainstream adoption.
Intent-Based Access Control: High benefit. 5-10 years to mainstream adoption.
Both on the Innovation Trigger. Both at the forefront of innovation. Both have still very minimal adoption today.
In my opinion, here’s what that means for your enterprise, because the instinct to read "5-10 years to mainstream adoption" as a reason to wait is exactly the instinct that will put you on the wrong side of the AI incidents curve and on the wrong side of unlocking AI value opportunity curve
What I Believe the Hype Cycle Actually Means
The Hype Cycle is a framework for understanding when a technology category reaches widespread adoption. It is not a framework for understanding when the problem that the category solves becomes real.
Enterprise AI agents are not a technology category on a Hype Cycle. They are already in production in your organization - in Finance, HR, Sales, Operations, and IT - operating across your most sensitive systems, making consequential decisions, often with no human in the loop.
The problem AI Agent Identity and Intent-Based Access Control solve is not futuristic.
That distinction is everything.
Gartner's analysis of Intent-Based Access Control is explicit about why the problem is urgent right now: the two most common ways enterprises authorize AI agents - granting the agent the human user's standing access or giving agents persistent, long-lived access - both result in overpermissioning. The data confirms the consequence: 61% of enterprise AI agent security incidents are tied to over-permissioned credentials.
The incidents aren't waiting for mainstream adoption. They're happening today, in environments where the governance infrastructure is embryonic but the agents are fully operational.
The Gap
Here is the gap that every enterprise leader needs to understand: AI agents are being deployed on a timeline driven by business value. The productivity gains are real - finance agents automating month-end close, HR agents managing onboarding workflows, sales agents enriching CRM data in real time. The competitive pressure to deploy is significant. The business case is proven.
The governance infrastructure to match that deployment pace is not keeping up. Gartner puts AI Agent Identity at 2-5 years from mainstream. That means in 2-5 years, giving every enterprise AI agent a verified identity, a documented human owner, and a defined scope will be table stakes, the minimum bar for operating in a governed enterprise environment. Regulators will definitely require it. Auditors will certainly ask for it. Boards will demand it.
But between now and then, every quarter of ungoverned agent operation is a quarter of accumulated risk. Agents operating without verified identities. Actions that cannot be traced back to authorizing humans. Behavioral drift that nobody is detecting because nobody is watching.
The organizations that achieve mainstream adoption, having already built the governance infrastructure, will be the ones that can answer the board's questions, and in the meantime will unlock the full value of AI Agents. The ones that treated "5-10 years to mainstream" as a reason to delay will be the ones explaining incidents or trying to avoid AI altogether.
Why Intent-Based Access Control Is the Harder Problem - And the More Important One
AI Agent Identity reaches mainstream adoption faster than Intent-Based Access Control for a reason. Assigning an identity to an agent - a verified principal, a documented owner, a defined scope - is the necessary foundation. However, it is also insufficient on its own.
Gartner's analysis of Intent-Based Access Control names the gap precisely: the most commonly implemented authorization methods for AI agents result in overpermissioning. Standing access. Persistent long-lived permissions. Both grant agents more access than they need for any specific transaction, and neither evaluates whether the agent's actions in a given session are consistent with the purpose it was built to serve.
Intent-Based Access Control is the answer: downscope access per session and per transaction based on the captured intent of the user and the agent. Evaluate the agent's intended actions against that intent continuously.
Gartner rates it 5-10 years to mainstream, not because the problem is distant but because the solution is very complex. Translating organizational intent into machine-readable, enforceable access policies at runtime, without the error rates that come from natural language interpretation, without the latency that comes from running inference on every tool call, at the deployment footprint that enterprise environments require, is a genuinely hard engineering problem.
The organizations that solve it before it becomes table stakes will have a structural advantage over those that are still trying to implement it when Gartner says the Plateau of Productivity has arrived.
What This Looks Like in Practice
Let me make the Gartner framework concrete. An enterprise AI agent is provisioned to manage vendor invoice processing. It has access to accounts payable data, the ERP, and the vendor database. It operates on behalf of a Finance analyst.
Without AI Agent Identity, this agent may not appear in any inventory. It may share credentials with other agents or with the human who deployed it. When something goes wrong, there is no clear accountability chain from the agent's actions back to an authorizing human.
Without Intent-Based Access Control, this agent maintains standing access to every system within its permission scope - regardless of the specific task it is executing in any given session. When it is invoked to process a routine invoice, it has the same access as when it is asked to reconcile a discrepancy across three systems. The access is not scoped to the intent of the specific transaction.
With AI Agent Identity, the agent has a verified identity, a documented human owner, and a defined scope. Every action is traceable. Accountability is clear.
With Intent-Based Access Control, the agent's access is downscoped to what the specific task actually requires. The Finance analyst's intent for this transaction - process this invoice - becomes the authorization boundary for this session. The agent cannot access systems or data that are not relevant to the task at hand, even if they fall within its broader permission scope.
The difference between the first and second scenarios is not theoretical. It is the difference between an audit trail that answers questions and one that raises more questions than it answers. It is the difference between a governance posture that satisfies a regulator and one that requires remediation under deadline pressure.
The Window Is Measurable
Gartner's timing signals give us a way to think about the window.
AI Agent Identity reaches mainstream in 2-5 years. That means by 2028-2031, giving every agent a verified identity will be expected rather than exceptional. The organizations implementing it today are 2-5 years ahead of where the market will require them to be.
Intent-Based Access Control reaches mainstream in 5-10 years. That means by 2031-2036, intent-based authorization for agent transactions will be standard practice. The organizations implementing it today are 5-10 years ahead.
In terms of technology adoption, those are significant lead times. In business risk terms, those are significant periods during which ungoverned agent operation accumulates exposure.
The window to build before it becomes table stakes is not indefinitely open. Regulatory frameworks are moving. Enforcement of the EU AI Act has begun. FINRA's 2026 oversight report requires human checkpoints for agents who can act or transact. The compliance pressure that drives mainstream adoption is building faster than the technology timeline suggests. But most importantly, AI is not waiting, it is becoming a critical element to drive value in any business.
What to Do With This
The Gartner Hype Cycle is very useful for understanding market dynamics and timing. It is not the right framework for deciding when to address a security/governance problem that is actively producing incidents in your environment today.
The governance infrastructure for enterprise AI agents - AI agent identity, intent-based access control, runtime behavioral observation, cross-chain accountability - needs to be built on the timeline driven by your agent deployment, not by when analysts predict the market may reach mainstream adoption.
Three steps that close the gap:
Start with discovery. Find every agent operating in your environment - not the approved list, the actual list. The number will be higher than you expect, and the access will be broader than anyone authorized.
Establish agent identity. Every agent needs a verified identity, a documented human owner, and a defined organizational intent. This is the foundation. Without it, intent-based access control has nothing to evaluate against.
Add runtime intent governance. Downscope access per session, based on the intent being served. Evaluate agent behavior continuously against that intent. Detect drift before it produces outcomes nobody authorized.
Gartner has named the categories. The market will follow. The organizations that build this infrastructure now - before the incidents that make it undeniable, before the regulations that make it mandatory, before the competitors that make it a differentiator - will be the ones that deploy enterprise AI agents with confidence while the rest of the market catches up.
Amir Ofek is CEO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform and a founding player in the ARISE - Agentic Runtime Identity Security Enforcement - category.