Two intelligence items this week converge on the same structural governance gap: non-human identities (AI agents, service accounts, API keys) are not being governed to the same IAM standards as human users, creating unmonitored privileged attack surfaces that grow with every new AI agent deployment. CrowdStrike announced a Continuous Identity for AI Agents framework using SPIFFE-based workload credentials and the Shared Signals Framework to address this; Palo Alto Networks flagged the same gap as an industry-wide governance failure. Neither item describes active exploitation — both describe structural risk accumulating faster than policy and detection coverage is evolving.