Gartner expects 40%+ of agentic AI projects canceled by 2027; EU AI Act Article 14 makes human oversight enforceable August 2, 2026. Three pillars mask which governance gap fails first.
AI agents are running across systems nobody authorized. The explanation everyone is settling on, three governance pillars ranked equally, obscures the gap that fails first.
Gartner's June 2025 forecast that more than 40% of agentic AI projects will be canceled by end of 2027 has become the field's anchor statistic. The remedies vendors, analysts, and IT leaders keep recommending cluster into three layers: identity for non-human actors, observability into what agents actually did, and cost optimization across tokens and routes. Each layer maps to a different C-suite question: the CISO on exposure, the CFO on overspend, the chief AI officer on value.
Treating the three as equal pillars obscures which one fails first, and which one the EU's regulatory clock makes impossible to ignore.
Identity is the gap the data points to first. Orchid Security's May 2026 Identity Gap snapshot, drawn from Orchid customer telemetry across April 2025 to March 2026, found roughly two-thirds of non-human accounts authenticated locally with no central identity provider, 57% of applications bypassing central IAM entirely, 40% of non-human accounts orphaned, and one in three applications storing credentials in plaintext. These are Orchid's measurements, not industry-wide independent data. The gap is large enough to be directionally credible, and specific enough that buyers should validate against their own environment before treating it as a benchmark. In practice, an agent can act under credentials nobody is centrally tracking, inside systems nobody on the security team knows about. The CISO question lands first because identity has to exist before anything else can be observed, billed, or revoked.
That sequencing pulls against the order the original three-layer framework implies. Three pillars sound balanced; in production, they compound. An agent without identity cannot be audited. An audit trail attached to an ad-hoc local credential cannot be reconciled back to an owner. A cost report that does not meter per agent is always retroactive: finance sees the bill but cannot stop the next one. Vantage's analysis of agentic coding workloads makes the cost point concrete. Input tokens outnumber output by roughly 25 to 1, and a single accumulated re-sent context dominates each bill. Without identity-tied metering, optimization becomes whack-a-mole on a shared account.
The regulator is the second-order pressure. EU AI Act Article 14, effective August 2, 2026, requires effective human oversight of high-risk AI systems, automation-bias awareness among operators, the ability to override or stop the system, and a two-person verification rule for certain Annex III(1)(a) deployments such as critical infrastructure. Most enterprise agent deployments are not Annex III systems in their own right. The moment an agent touches a high-risk workflow (credit decisioning, healthcare triage, recruitment screening), Article 14's oversight obligations attach, and identity in the regulator's sense becomes a prerequisite for proving a human was actually in the loop.
Most remediation frameworks treat observability and cost control as co-equal peers of identity, but Article 14 treats identity itself as a precondition, because human oversight must attach to a named credential before any high-risk action can be reviewed.
The cost case for getting identity earlier is not abstract either. FinOps Foundation's 2026 State of FinOps puts AI spend management at the top of forward-looking priorities, with 98% of teams now managing AI costs and pre-deployment architecture costing among the most-requested capabilities. The InfoWorld piece carries a Gartner March 2026 figure of 5–30x token cost premium for agentic workloads over standard chatbots. The FinOps survey corroborates the spend-control pain even where a specific budget-overrun percentage reported downstream could not be independently verified against the FinOps PDF. Pricing an agent after deployment is what makes the cost pillar non-binding; pricing it before deployment against a defined identity is what makes it enforceable. Vantage's parallel finding, that an efficient loop looks indistinguishable from runaway spend without per-agent attribution, makes the same argument from a different angle.
Run the diagnostic on any in-flight agent. Can the security team name the credential it runs under, prove who issued it, and revoke it without taking down a human account? If not, the identity gap is firing now. The EU AI Act's August 2, 2026 clock is already counting. The three-pillar mitigation plan just added two layers of work on top of the one that should have come first.