The Rule of 17: What AI Agent Growth Means for Security Teams

Executive Summary

AI adoption has quietly created a new identity problem.

While organizations focus on employee access, SaaS security, and AI governance, a rapidly growing population of AI agents is gaining access to applications, data, and workflows across the enterprise.

Grip Security's latest SaaS and AI Security research reveals a striking trend:

For every 17 identities in an organization, there is now one AI agent.

We call this the Rule of 17.

This ratio highlights a fundamental shift in enterprise environments. AI agents are becoming operational participants in business processes, often with access privileges similar to human users. Yet many security programs still lack visibility into where these agents exist, what they can access, and how they interact with sensitive data.

As AI functionality expands across SaaS ecosystems, understanding and governing non-human identities is becoming a critical security requirement.

‍

Key Takeaways

• The Rule of 17 states that organizations now have approximately one AI agent for every 17 identities.
• AI agents are rapidly becoming a major category of non-human identity.
• 54% of enterprise applications now contain AI functionality.
• The average user is exposed to 33.5 AI-enabled applications.
• The average Grip customer uses 1,017 AI-enabled applications.
• AI-related attacks increased approximately 490% year-over-year.
• 80% of security incidents involve sensitive data.
• Traditional governance models designed for human users struggle to manage AI-driven access.
• Security teams need visibility into AI agents, permissions, OAuth grants, and machine identities operating across SaaS environments.

‍

What Is the Rule of 17?

The Rule of 17 is a framework developed by Grip Security that states organizations now have approximately one AI agent for every 17 identities. The rule highlights the rapid growth of AI-powered non-human identities and the need for visibility, governance, and access controls across SaaS environments.

Rule of 17 Definition

For every 17 identities within an organization, one AI agent exists.

This statistic reflects the growing presence of AI-powered assistants, autonomous workflows, copilots, embedded AI features, automation platforms, and machine-driven services operating across SaaS environments.

Historically, identity governance focused on employees, contractors, and service accounts.

Today, organizations must also account for:

• AI assistants
• AI copilots
• Autonomous agents
• AI-powered workflow engines
• Machine identities
• API-driven AI services
• Embedded AI features inside SaaS applications

The Rule of 17 provides a measurable way to understand how quickly this new population is expanding.

Why the Rule Matters

Security teams often know how many employees they have.

Few know:

• How many AI agents exist
• Which applications those agents access
• What permissions have been granted
• Which sensitive datasets are exposed

The result is an expanding access layer that frequently operates outside traditional governance processes.

‍

Why AI Agents Are Multiplying

Several forces are driving explosive AI agent growth.

AI Is Embedded Everywhere

Grip research found that:

54% of enterprise applications now contain AI functionality.

Many organizations no longer intentionally deploy AI.

Instead, AI arrives through:

• SaaS platform updates
• Productivity suites
• Collaboration tools
• CRM platforms
• Customer support systems
• Developer tools

AI functionality is increasingly becoming a default feature rather than a standalone product.

Employees Are Using More AI Than Security Teams Realize

The average user is exposed to:

33.5 AI-enabled applications.

This exposure often includes applications that employees may not recognize as AI-powered.

As a result:

• AI adoption becomes decentralized
• Governance visibility declines
• Risk accumulates across departments

AI Application Growth Has Reached Enterprise Scale

The average Grip customer uses:

1,017 AI-enabled applications.

At this scale, manual discovery and governance become nearly impossible.

Organizations are no longer managing a handful of AI tools.

They are managing thousands.

‍

Why Traditional Governance Models Break Down

Most governance frameworks were designed around human behavior.

AI agents fundamentally change the equation.

Traditional Governance Assumptions

Conventional governance assumes:

• Users request access
• Managers approve access
• Security teams review permissions
• Employees can be trained

AI agents don't fit this model.

AI systems:

• Operate continuously
• Scale instantly
• Create downstream actions
• Interact with multiple SaaS platforms simultaneously

The governance challenge becomes significantly more complex.

The Visibility Gap

Many organizations can answer:

"Who has access?"

Fewer can answer:

"What AI systems have access?"

The distinction is increasingly important because AI agents frequently inherit permissions from:

• OAuth integrations
• Connected applications
• Service accounts
• APIs
• User-delegated access

Without visibility into these relationships, governance becomes incomplete.

‍

AI Agents, Non-Human Identities, and Access Risk

The Rule of 17 is fundamentally an identity story.

Every AI agent represents a non-human identity that can interact with enterprise resources.

AI Agents Are Identity Objects

Security teams should treat AI agents similarly to:

• Service accounts
• Workload identities
• Automation bots
• Machine credentials

Each AI agent may have:

• Permissions
• Authentication methods
• Access scopes
• Data access rights

Ignoring these identities creates governance blind spots.

The AI Attack Surface Is Growing

Grip's research found:

AI-related attacks increased approximately 490% year-over-year.

As AI adoption expands, attackers gain new opportunities to:

• Exploit over-permissioned agents
• Abuse OAuth grants
• Access connected SaaS environments
• Move laterally through AI-enabled workflows

Every AI agent introduces potential access pathways.

Sensitive Data Is Increasingly at Risk

Security incidents involving AI systems often become data exposure events.

Grip research shows:

80% of incidents involve sensitive data.

When AI agents gain access to:

• Customer records
• Financial information
• Intellectual property
• Internal communications

The impact of compromise grows significantly.

The governance challenge is no longer simply identifying AI usage.

It is understanding what those AI systems can access.

‍

What Security Teams Should Do Next

The Rule of 17 highlights an emerging reality:

Organizations must manage AI agents as part of their identity security strategy.

1. Discover AI Agents Across SaaS Environments

Begin by identifying:

• AI-enabled applications
• Embedded AI functionality
• Autonomous workflows
• AI copilots
• Connected AI services

Discovery is the foundation of governance.

2. Map Access Relationships

Security teams should understand:

• Which identities AI agents inherit
• Which OAuth grants exist
• What permissions have been granted
• Which data sources are accessible

Visibility must extend beyond users.

3. Govern Non-Human Identities

Apply governance controls to:

• AI agents
• Service accounts
• Automation platforms
• Machine identities

The same principles used for human access should extend to AI-driven entities.

4. Monitor AI Activity Continuously

AI systems operate continuously.

Governance should too.

Continuous monitoring helps identify:

• Permission drift
• New AI deployments
• Excessive access
• Risky integrations

5. Build AI Governance Around Identity

The future of AI governance is not simply policy management.

It is identity management.

Organizations that can see and govern AI access relationships will be better positioned to manage emerging risks.

‍

The Rule of 17 Framework

Every AI initiative creates new identities.

Every identity creates new access.

Every access path creates new risk.

The Rule of 17 provides a measurable framework for understanding how quickly AI-driven identity risk is expanding.

As AI adoption accelerates, organizations need a way to quantify and govern this growth.

The Rule of 17 offers a starting point.

‍

FAQ

What is the Rule of 17?

The Rule of 17 is a Grip Security framework stating that organizations now have approximately one AI agent for every 17 identities. It highlights the rapid growth of AI-driven non-human identities across enterprise environments.

Why are AI agents considered security risks?

AI agents often have access to applications, data, APIs, and workflows. Without proper governance, they can become over-permissioned, expose sensitive data, or create new attack paths.

What is a non-human identity?

A non-human identity is any digital entity that can authenticate and access resources without being a person. Examples include service accounts, machine identities, automation bots, APIs, and AI agents.

How many AI-enabled applications do enterprises use?

According to Grip research, the average customer uses 1,017 AI-enabled applications, while users are exposed to an average of 33.5 AI applications.

Why does AI governance require identity visibility?

AI governance depends on understanding which AI systems exist, what data they can access, and which permissions they possess. Without identity visibility, governance programs cannot effectively manage AI-related risk.

How can organizations secure AI agents?

Organizations should discover AI agents, map access relationships, govern permissions, monitor activity continuously, and incorporate AI identities into broader identity security programs.

‍