Agentic AI governance gaps are exposing enterprise identity controls

At a glance

What this is: This is an analysis of agentic AI governance risks, showing that autonomous actions break human-era identity controls and leave accountability gaps.

Why it matters: It matters because IAM, PAM, and lifecycle teams must govern agents as identities with runtime permissions, not as ordinary automation, or risk losing control over data, tools, and approvals.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read 1Kosmos's analysis of Know Your Agent and agentic AI governance risk

Context

Agentic AI governance is the problem of controlling software entities that can choose actions, tools, and timing at runtime. In this article, the core gap is not model quality but identity accountability: once an agent can act without a human checkpoint, existing IAM and audit assumptions stop matching the way access is actually used.

That shift matters across NHI, IAM, and lifecycle programmes because agents behave like identities but do not fit human review models. The article frames a KYA approach, but the underlying issue is broader: organisations need to know which agent acted, under whose authority, and whether the action was permitted at the moment it happened.

Key questions

Q: How should security teams govern AI agents that can act without a human checkpoint?

A: Treat the agent as an identity with ownership, scope, and runtime policy enforcement. Human approval must occur at the moment of consequential action, not only during provisioning. For high-risk operations, block the tool call until a verified human approves the specific request and the approval is written into an immutable audit trail.

Q: Why do AI agents create accountability problems for IAM and compliance teams?

A: Because standard logs often show that a credential was used, but not whether the human behind it still had authority when the action occurred. If an agent continues after its sponsor leaves or its scope changes, the organisation may have a valid credential and an invalid accountability chain at the same time.

Q: What breaks when service accounts are used as the identity basis for autonomous agents?

A: Static service accounts can outlive the human who created them, so the agent keeps operating with persistent access after ownership has changed. That creates ghost agents, weak offboarding, and access that is valid technically but no longer defensible organisationally.

Q: Who should be accountable when an AI agent makes a harmful decision?

A: Accountability should sit with the verified human owner, the approving control, and the organisation that allowed the agent to act within that scope. If no one can prove who authorised the action at execution time, the governance model is incomplete and the audit trail is not sufficient for compliance.

Technical breakdown

Why control planes and execution planes must be separated

Agentic governance needs two layers because registration and runtime approval solve different problems. The control plane handles ownership, onboarding, and lifecycle binding to a human sponsor. The execution plane is where the real security decision happens, because the agent may only be making a tool call after context has changed. Static registration alone cannot answer whether a specific action should proceed. This is why auditability fails when teams rely on provisioning-time approval for a runtime event. The real control point is the moment of action, not the moment the agent was created.

Practical implication: enforce runtime policy checks at the action boundary, not just at agent registration.

How delegated tool chains expand privilege in agentic systems

Agentic systems often inherit authority through chains of tool calls rather than a single explicit approval. One agent can invoke another, or a routine task can surface a token that extends access beyond the original intent. That creates privilege expansion without a human seeing a new request. The technical problem is not only over-broad access, but the lack of step-by-step authorization inside a decision chain. When each hop is trusted because the previous hop was trusted, least privilege becomes a paperwork state instead of a runtime state.

Practical implication: validate every consequential hop in the chain, not only the first authenticated session.

Why static credentials cannot prove accountability for autonomous actions

API keys and service accounts authenticate a connection, but they do not prove who authorised a particular autonomous action. That distinction becomes critical when an agent keeps operating after the employee who created it leaves the organisation. The result is a ghost agent: valid credentials, no live owner, and no trustworthy accountability trail. Legacy logs may show that an identity was used, but not whether the person behind it still had authority. For agentic systems, authentication without contemporaneous authorisation is incomplete.

Practical implication: tie agent credentials to a verified human owner and revoke them when ownership ends.

NHI Mgmt Group analysis

Agentic AI creates an accountability gap, not just a visibility gap. The article shows that enterprises can log agent activity and still fail to prove who authorised it. That is a governance failure because the audit record no longer maps cleanly to a responsible human. For CISOs and IAM leaders, the practical conclusion is that visibility without verified authorisation is not control.

Static credential governance was designed for access that persists long enough to be reviewed. That assumption fails when an agent can acquire, use, and chain access inside a short runtime window. The implication is not simply more logging. It is that access review, certification, and offboarding logic must be rethought for identities whose meaningful security event is a session, not a standing account.

Know Your Agent is best understood as identity lifecycle governance for autonomous actors. The article’s strongest point is that identity, ownership, and runtime scope must stay linked all the way through execution. That aligns with OWASP Agentic AI Top 10 and NIST AI Risk Management Framework thinking, but the discipline is still identity first. Practitioners should treat agent governance as a control-of-record problem, not an AI novelty problem.

Runtime approval becomes the decisive control when agents can act faster than humans can intervene. Human-in-the-loop checkpoints are not a UX preference in this model. They are the only way to preserve accountability for high-risk actions such as infrastructure changes, money movement, and sensitive-data access. The conclusion for governance teams is straightforward: if approval is not enforceable at execution time, it is not enforceable at all.

From our research:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• For a broader identity lens, OWASP Agentic AI Top 10 shows how those behaviours map to prompt injection, tool misuse, and agent hijacking.

What this signals

Runtime governance, not static onboarding, is where agent risk now concentrates. If an agent can change what it does after provisioning, lifecycle reviews alone will miss the moment that matters. Teams should align identity ownership, policy enforcement, and approval logic to execution-time behaviour rather than to creation-time records.

The practical signal for enterprise IAM programmes is that agent identity must be managed like a living access path, not a one-time registration event. That pushes control design toward task scope, short-lived credentials, and revocation tied to both human ownership and business context.

With 80% of organisations already reporting agents acting beyond intended scope, the governance problem is no longer hypothetical. Security teams should expect demand for evidence that agent approvals, audit lineage, and offboarding can survive compliance scrutiny.

For practitioners

• Bind every agent to a verified human owner Make ownership part of the control plane so each agent has a named sponsor, a business purpose, and a revocation path when the sponsor changes role or leaves.
• Move approval checks to the execution plane Intercept high-risk tool calls at runtime and require contemporaneous approval for actions involving infrastructure changes, sensitive data, or financial transactions.
• Replace static secrets with time-bound verifiable credentials Use short-lived credentials that expire with the task scope so an agent cannot keep operating long after the original authorisation decision has aged out.
• Classify agents by reach and decision impact Segment low-risk, medium-risk, and high-risk agents so monitoring, approval, and scope enforcement match the data and system reach of each identity.
• Create immutable decision lineage for high-risk actions Record the prompt, the action attempted, the data touched, and the human who approved it so compliance, audit, and insurance review can reconstruct the full chain.

Key takeaways

• Agentic AI exposes a governance gap because identity controls built for human-paced access cannot prove who authorised runtime action.
• The scale of the problem is already visible, with most organisations viewing AI agents as a security threat and many reporting out-of-scope behaviour.
• The decisive control shift is from provisioning-time trust to execution-time verification, ownership, and auditability.

Key terms

• Agentic AI Governance: The discipline of controlling AI systems that can choose actions, tools, and timing at runtime. It extends identity and access governance into execution-time decisions so organisations can prove ownership, scope, and accountability when the agent acts.
• Execution Plane: The runtime layer where a specific action is approved or denied at the moment it is attempted. In agentic systems, this is where policy must intercept tool calls, because provisioning-time approval does not guarantee that later actions remain authorised.
• Ghost Agent: An agent that continues to operate on credentials after the human sponsor is gone or no longer accountable. The identity still works technically, but governance has lost the live owner relationship needed for defensible access control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by 1Kosmos: Agent Compliance and Governance Risks for Enterprises. Read the original.