“Enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls,” Gartner wrote — and Orchid Security’s analysis paints a clear picture of how that gap already looks inside corporate applications.
Gartner’s Market Guide and Orchid’s invitation
Gartner’s inaugural Market Guide for Guardian Agents stated that enterprise AI-agent adoption is moving faster than governance. Orchid Security is offering complimentary access to that Market Guide, and the company points to Gartner’s description of a “guardian agent” vendor as one that manages identities and access for AI agents with zero-trust policies and governance. Gartner’s publications, the source notes, “reflect the opinions of Gartner’s research organization” and “do not endorse any vendor, product, or service depicted.”
Identity dark matter: roughly half of identity activity outside IAM visibility
Orchid’s analysis identifies a structural problem: traditional identity and access management (IAM) was designed around human users logging in and out. AI agents behave differently — they run continuously, traverse multiple applications, request permissions opportunistically, and act at machine speed. Orchid calls the resulting, unmanaged layer “identity dark matter.” According to Orchid, roughly half of enterprise identity activity already occurs outside centralized IAM visibility because many identities and controls are embedded directly in applications rather than in central directories or IAM tools.
Ask Orchid: three questions security teams are now asking
Orchid embeds an AI agent called “Ask Orchid” into its platform to apply identity observability at the source — inside applications, at the binary and configuration layer — and to answer natural-language questions about the full identity estate. Security and compliance leaders are using it for at least three urgent queries:
- What AI agents are running in our environment? Ask Orchid examines user accounts, authentication flows, authorization permissions, and runtime activity across every application. The platform promises automatic discovery of AI agents (including likely purpose and risk profile), identification of areas confirmed not to be using agents, and recommended actions to help establish oversight.
- How compliant are we with NIST identity requirements right now? Ask Orchid inspects how identity controls are implemented inside each application at the binary level and compares what is coded against NIST requirements, covering NIST CSF 1.1 and 2.0. Outputs include a clear view of implemented controls and gaps, application-level detail, and a prioritized remediation roadmap.
- Do we have static credentials that should be rotated immediately? The tool inventories static credentials across cloud, on-premise, and local accounts, shows where they live and why they must be rotated, and provides risk-tiered prioritization to identify the most urgent exposures.
How Orchid gains visibility: binary analysis and dynamic instrumentation
Orchid positions its platform to operate “inside applications” rather than at the perimeter of centralized IAM. Using binary analysis and dynamic instrumentation, it inspects native authentication and authorization logic directly within applications without requiring APIs, source-code changes, or lengthy integrations. That approach, the company says, provides visibility into the half of identity activity that conventional IAM platforms miss — including every AI agent operating across the estate.
Gartner recognized Orchid as a Representative Vendor in the Market Guide for Guardian Agents, describing that category as vendors “managing the identities/access for AI agents with zero-trust policies and governance.” Orchid calls its output “full-spectrum identity authority,” spanning observability through orchestration for both human and non-human identities.
Orchid’s five principles for governing AI agents
- Human-to-Agent Attribution: Every AI agent action is linked to a responsible human owner to ensure accountability.
- Comprehensive Activity Audit: A recorded chain of custody — Agent → Tool/API → Action → Target — supports compliance reporting and incident response.
- Dynamic, Context-Aware Guardrails: Access decisions are evaluated continuously and tied to real-time context and the sensitivity of the target resource rather than broad standing privileges.
- Least Privilege: Just-in-Time elevation replaces persistent “god-mode” access for agents and machine identities.
- Automated Remediation: Risky behavior triggers automated responses such as credential rotation and session termination without manual intervention.
What this means for CISOs, security teams, and procurement leaders
For CISOs and compliance leaders, Ask Orchid offers a way to assess NIST CSF compliance continuously and on demand rather than relying solely on third-party audits. For security and identity teams, the platform promises a near-term inventory of AI agents and static credentials across cloud, on-premise, and local accounts — turning previously invisible “identity dark matter” into prioritized remediation tasks. For procurement and enterprise leaders, Orchid’s complimentary access to the Gartner Market Guide is presented as a starting point for evaluating vendors that claim to manage AI-agent identities and enforce zero-trust governance.
The central fact the reporting leaves on the table is operational: enterprises are already running AI agents at scale, and according to Orchid and Gartner, governance has not kept pace. Orchid’s pitch is direct — find the agents, map the controls in the binaries where they are enforced, and remediate risky credentials and behaviors before a breach makes them visible.
Original story: Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?




