The blind spot undermining your sovereignty

Every unmanaged service account, every forgotten API key, every robot with excessive rights is an open door in your sovereignty structure. And billions more are coming. Time for mature identity governance.

Picture this: an organisation has built an exemplary sovereignty structure. Data in Europe. Infrastructure managed under European jurisdiction. Sovereign landing zones implemented. Customer-managed keys configured. Audit trails activated. The CISO can present it with confidence to the supervisory board.

Then come the questions. Which service accounts are running on that infrastructure right now? Which automated processes can read, modify or move data without human intervention? How many AI agents are active, and when were their rights last reviewed? Too often, the answers aren't there.

We believe sovereignty without mature identity governance is an illusion. You can know where your data are and who manages your infrastructure, but if you cannot determine and enforce who and what has access, you have no control. And the rise of agentic AI is about to expose that illusion.

The split identity world

Most organisations operate in a hybrid reality. Cloud systems. On-premise systems. SaaS applications. Legacy systems. The structurally underestimated problem: identity and access processes are usually managed separately. The result? Parallel identity environments, each with their own governance, their own processes, their own gaps. No integrated view. No central control.

For human users, this is already a governance challenge. But the real time bomb lies elsewhere. Every modern IT environment runs on a web of non-human identities. Service accounts driving processes. API keys connecting systems. Robots automating tasks. Scripts moving data. Within an average business environment, these non-human identities outnumber human users by a factor of ten to fifty.

These non-human identities are the nervous system of digital operations. Yet they're almost nowhere managed as identities. No lifecycle management. No periodic review of rights. No offboarding when a process stops. Passwords and keys set at creation, never changed. Rights granted on day one, never reviewed.

Not an IT hygiene problem, but a sovereignty problem

This isn't an IT hygiene problem. It's a sovereignty problem. Every unmanaged identity with access to data undermines the entire architecture around it. It doesn't matter that your data are in Europe if a forgotten service account with administrator rights can move, delete or change that data without control.

And this is already your reality. Inadequate logical access security is structurally an area of attention in the audits we conduct. It's one of our most common findings. With increasing cloud usage and regulation such as NIS2 and DORA, that audit scope is shifting from financial systems to all systems essential for the continuity of critical business processes.

Why identity is the foundation for sovereignty

The connection between sovereignty and identity is rarely made explicitly. Let's make it here.

Sovereignty is about control. Control over where your data and infrastructure are, who manages them, whether you can run the applications supporting your organisational processes independently. But control is an empty promise without the ability to determine and enforce who and what has access.

Take the three layers of sovereignty:

1. Data sovereignty without identity governance means you know your data are in Europe, but cannot guarantee that only authorised entities can access them. A service account with overly broad rights can move data across borders without anyone noticing.
2. Operational sovereignty without identity governance means that, even if you manage the infrastructure yourself, you don't necessarily control what actually happens on that infrastructure. Non-human processes operate outside your view.
3. Software sovereignty without mature identity governance means you can run applications independently, but have insufficient control over who accesses your applications and thus your business processes.

Identity governance isn't a supplement to sovereignty. It's the layer that makes sovereignty operationally effective, so you can deliver on your sovereignty commitments.

Agentic AI is the tipping point

Now comes the factor that raises the urgency: agentic AI. AI agents are autonomous systems that don't just execute tasks. They make independent decisions, interact with other systems and act on behalf of users. From prototype to production. This fundamentally changes the identity question. On four dimensions simultaneously:

• Authentication. How do you prove an AI agent is legitimate? For human users, we have decades of protocols. For autonomous agents communicating with dozens of systems in milliseconds, those protocols largely don't yet exist.
• Authorisation. What may an AI agent do? A human clicks, reads, decides. An agent executes thousands of actions in seconds: retrieving data, combining, deciding, triggering. Traditional authorisation models are built for human interaction speeds. Not for this.
• Act on behalf. When an agent acts on behalf of a user, whose rights apply? The user's? The agent's? What if the agent needs rights the user doesn't have, or vice versa? And with billions of transactions, how do you determine there's no improper use of the AI agents?
• Scale. An organisation with thousands of human users generates millions of authentication events per year. Add autonomous agents and that becomes billions. Today's identification infrastructure isn't built for that order of magnitude.

Organisations without their identity governance in order today for service accounts and robots won't solve this by the time AI agents run in production. The gap isn't getting smaller. It's becoming unmanageable.  

The regulator isn't waiting

Meanwhile, the regulator isn't waiting. NIS2, DORA, the EU AI Act and the EU Data Act require demonstrable control over who and what has access to which data and systems, under what conditions, with what safeguards. Without identity governance that includes non-human identities, that demonstrability is impossible. And in a world of autonomous AI agents, it's categorically impossible if the foundations for identification haven't been redesigned.

Organisations that take sovereignty seriously but leave identity governance unaddressed are building a house without locks. Organisations deploying AI agents without redesigning their identity architecture are opening the front door.

Four steps that cannot wait

1. Make non-human identities visible. Conduct a complete and continuous inventory of all service accounts, API keys, bots and automated processes in all environments. Not as an IT project, but as a sovereignty measure. What you can't see, you can't control. What you don't control isn't sovereign.
2. Integrate identity governance across all environments. One governance model. One lifecycle approach. One audit framework, regardless of where the identity lives. A split identity world is a risk that grows with every new environment and every new agent.
3. Design an identity architecture for agentic AI now. Don't wait until agents run in production. Start with the design questions: how do we authenticate autonomous agents? How do we limit their authorisations?
4. Bring identity to the sovereignty table. Identity governance doesn't belong in a separate CISO domain. It belongs at the same strategic table as data sovereignty and operational sovereignty. The CRO, CISO, CIO and CDO around one integrated sovereignty model, where identity is the operational backbone, so you can deliver true control.

Sovereignty without identity governance isn't sovereignty

Most discussions about sovereignty focus on where data are and who manages the infrastructure. These are the right questions. But they're not where the greatest vulnerability lies. The greatest vulnerability lies in the identities no one counts, the service accounts no one reviews, the API keys no one rotates and the AI agents coming for which no one has a governance model.

Sovereignty without identity governance isn't sovereignty. It's an illusion waiting to be tested.

This is the third part of a blog series on cloud sovereignty. Previously published are Cloud sovereignty and AI acceleration: the collision nobody is naming and The sovereignty paradox laying in your drawer for a decade.