This study addresses the critical security and compliance risks arising from the widespread yet ungoverned use of machine identities—such as service accounts and API tokens—in AI systems. To bridge this gap, the work proposes the first machine identity governance framework specifically designed for AI agents, introducing two novel taxonomies: the AI Identity Risk Taxonomy (AIRT) and the Machine Identity Governance Taxonomy (MIGT). It establishes a nation-state-level adversary threat model and designs a cross-jurisdictional regulatory alignment mechanism. Drawing on threat intelligence, regulatory texts, and industry practices, the research identifies 37 distinct risk subcategories through classification modeling, risk mapping, and multi-jurisdictional regulatory comparison, uncovering key regulatory conflicts among the U.S., China, and the EU. The paper concludes with a four-phase implementation roadmap to guide organizations in building actionable, secure, and compliant AI identity governance systems.

The governance of artificial intelligence has a blind spot: the machine identities that AI systems use to act. AI agents, service accounts, API tokens, and automated workflows now outnumber human identities in enterprise environments by ratios exceeding 80 to 1, yet no integrated framework exists to govern them. A single ungoverned automated agent produced $5.4-10 billion in losses in the 2024 CrowdStrike outage; nation-state actors including Silk Typhoon and Salt Typhoon have operationalized ungoverned machine credentials as primary espionage vectors against critical infrastructure. This paper makes four original contributions. First, the AI-Identity Risk Taxonomy (AIRT): a comprehensive enumeration of 37 risk sub-categories across eight domains, each grounded in documented incidents, regulatory recognition, practitioner prevalence data, and threat intelligence. Second, the Machine Identity Governance Taxonomy (MIGT): an integrated six-domain governance framework simultaneously addressing the technical governance gap, the regulatory compliance gap, and the cross-jurisdictional coordination gap that existing frameworks address only in isolation. Third, a foreign state actor threat model for enterprise identity governance, establishing that Silk Typhoon, Salt Typhoon, Volt Typhoon, and North Korean AI-enhanced identity fraud operations have already operationalized AI identity vulnerabilities as active attack vectors. Fourth, a cross-jurisdictional regulatory alignment structure mapping enterprise AI identity governance obligations under EU, US, and Chinese frameworks simultaneously, identifying irreconcilable conflicts and providing a governance mechanism for managing them. A four-phase implementation roadmap translates the MIGT into actionable enterprise programs.