The "Agent Identity" blind spot: Is Atlassian Rovo agents a governance nightmare in the making?
​
I’ve been testing Atlassian Rovo, and while the "AI Agent" hype is real and in some cases it is good, the governance implications are honestly terrifying.
Is anyone else worried about these three things?
Workflow Chaos: We’ve spent years perfecting Jira automations and guardrails. Now, AI agents are essentially creating "shadow workflows" that bypass the logic we’ve spent thousands to build.
The Access Paradox: These agents have massive reach. It’s scary how easily they can surface context from sensitive resources that the prompting user shouldn't actually see, simply because the agent has site-wide indexing power.
The Identity Void: This is the biggest red flag. When an AI agent leaks data, whose identity was used? * Does the audit log blame the user who prompted it?
The admin who installed it?
Or is "Agent Identity" a total blind spot in our current access policies?
We’re giving these agents more access than our senior architects, but we have zero way to govern them under "Least Privilege" rules.
Are you guys actually rolling this out to production, or is the lack of auditing a dealbreaker for you?