Agentic AI governance is becoming the decisive security control

At a glance

What this is: This is Kong’s analysis of why agentic AI governance is becoming a security and compliance problem, with shadow AI, uncontrolled data flows, and autonomous agent behaviour driving new exposure.

Why it matters: It matters because IAM, PAM, NHI, and data governance teams now need controls that can observe and constrain AI-driven access paths before those paths outpace existing review and approval models.

By the numbers:

• 86% of organizations have no visibility into their AI data flows.
• 20% of security breaches are now classified as shadow AI incidents.
• 96% of enterprises acknowledge that AI agents are a security risk.

👉 Read Kong’s analysis of agentic AI governance and shadow AI risk

Context

Agentic AI governance is the discipline of controlling how AI agents access data, invoke tools, and move information across systems. The problem is not only model risk, but identity risk: once agents can reach APIs, databases, and other services, they create new access paths that traditional review cycles were not built to track.

Kong’s article argues that shadow AI grows when teams bypass official channels, connect to external AI services directly, and route data without classification or audit trails. That makes the issue relevant across NHI, IAM, and lifecycle governance, because the real exposure sits in unmanaged credentials, data flows, and delegated machine access.

For practitioners, the important shift is that governance can no longer sit after deployment. The programme has to see the flow, constrain the action, and prove accountability while agentic systems are still moving through production.

Key questions

Q: How should security teams govern agentic AI without slowing delivery?

A: Use runtime guardrails, policy-as-code, and complete data-flow mapping so governance is enforced inside the execution path rather than added after deployment. The goal is not to review every prompt manually. It is to make unsafe data movement or tool use fail automatically while teams still ship quickly.

Q: Why do AI agents create more governance risk than traditional shadow IT?

A: Shadow AI is riskier because it does not just store data, it reasons over it, transforms it, and can route it to other systems in ways that are harder to inspect. That creates dynamic access paths, untracked decisions, and compliance exposure that static software inventories cannot fully capture.

Q: What breaks when organisations cannot see AI data flows?

A: Without data-flow visibility, security teams lose the ability to trace where prompts, context, and outputs travel, which means they cannot prove lineage, classify exposure, or enforce least privilege across the agent path. Blind spots become governance failures as soon as agents touch regulated or sensitive data.

Q: Who is accountable when an AI agent routes data to an unsafe destination?

A: Accountability should rest with the teams that own the agent, the policy boundary, and the connected data source, not with a single review board after the fact. In practice, agent governance needs named ownership, approved access paths, and clear escalation when runtime behaviour exceeds intent.

Technical breakdown

Shadow AI creates untracked identity and data paths

Shadow AI is not just unsanctioned software use. It is unsanctioned reasoning and action across live systems, which means data can move through prompts, tool calls, vector stores, and APIs without a stable ownership trail. Static inventory methods fail because the architecture changes as agents are updated, chained, or repurposed. Once a team can connect an agent directly to an external model or internal API, the access path becomes a governance object in its own right, not just an application detail.

Practical implication: Map every agent-to-LLM, agent-to-MCP, and MCP-to-API path before approving production use.

Policy-as-code is the control layer for agentic workflows

Policy-as-code moves decision points out of manual review queues and into enforceable runtime rules. In agentic systems, that matters because the system can generate requests faster than humans can approve them, and because the request content itself may reveal sensitive data. The model Kong describes is a control plane that can redact, block, rate-limit, and log before data leaves the environment. That is materially different from post-event monitoring, which only tells you what happened after the exposure path already existed.

Practical implication: Define high-risk policies for PII, restricted databases, and outbound model calls at the network or gateway layer.

Why point solutions leave seams in agent security

A fragmented stack creates blind spots between observability, prompt protection, and cost controls. In agentic environments, those seams matter because a policy can be enforced in one tool and bypassed in another part of the transaction chain. The architectural issue is not missing tooling alone, but inconsistent governance across the full data path. A unified control plane is therefore a structural requirement for trustworthy agent deployment, especially when multiple teams can independently create and connect agents.

Practical implication: Treat governance coverage gaps between tools as a security defect, not an integration inconvenience.

Threat narrative

Attacker objective: The objective is to exploit unmanaged AI access paths to reach sensitive data, create compliance exposure, and expand the blast radius before governance can intervene.

1. Entry begins when developers bypass official channels and connect AI agents or LLM services directly to data and APIs without security review.
2. Escalation follows as the agent gains access to sensitive customer data, third-party tools, and agent-to-agent communications that were never mapped or approved.
3. Impact occurs when unmanaged flows create compliance exposure, breach conditions, and rollback events that force broad remediation across the AI programme.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shadow AI governance is now an identity problem, not just an AI policy problem. Once agents can route data to models, tools, and APIs outside approved channels, the governance question shifts from model quality to who or what is allowed to act. That means IAM, NHI, and data governance are now interlocked rather than separate workstreams. The practitioner conclusion is simple: if you cannot enumerate the agent’s access path, you cannot govern the agent.

Access review cadences were designed for stable entitlements, not for agentic execution. Traditional governance assumes that access can be observed long enough to be reviewed, certified, and revoked on a human schedule. That assumption fails when an agent can acquire, use, and discard privileges as part of a short runtime sequence. The implication is not “add more reviews”; it is that the review model itself no longer matches the behaviour of the actor.

Runtime governance gap: The real control failure is the gap between deployment speed and enforceable oversight. Shadow AI grows because teams can create working agent flows faster than security teams can map ownership, data lineage, and policy boundaries. This is where the field needs to be honest: the gap is structural, and it will keep widening unless governance is embedded in the execution path. Practitioners should treat runtime visibility as the minimum viable control plane.

Agentic AI exposes the same lifecycle weakness that has long plagued unmanaged NHIs, but at higher velocity. Service accounts and tokens already fail when no one knows where they are used, who owns them, or when they should be retired. Agentic systems add decision-making and tool selection on top of that problem, which multiplies the risk of stale access and unowned workflows. The practitioner conclusion is to apply lifecycle discipline across every non-human executor, not just the traditional machine account.

Governance becomes a competitive capability only when it is operational, not documentary. Kong’s framing is correct on one point: organisations that can prove control while moving fast will outlast those that treat governance as a post-deployment checklist. But the winning model is not paper compliance. It is continuous enforcement, traceability, and policy-backed execution across the AI data path. Practitioners should measure whether governance changes runtime behaviour, not just whether it exists on slides.

From our research:

• 72% of organizations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• 46% confirmed and 26% suspected a non-human identity breach, a split that shows many programmes are still operating with incomplete visibility into machine and workload identity exposure.
• If you are hardening the broader non-human identity estate, pair that research with NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Runtime traceability is becoming the baseline expectation for agentic governance. Enterprises that cannot follow an agent’s prompt, tool call, and downstream data movement will struggle to defend either security decisions or compliance posture. The practical signal is that architecture reviews now need to ask where runtime enforcement lives, not just where the model is hosted.

With 72% of organizations having experienced or suspecting a non-human identity breach, per The 2024 ESG Report: Managing Non-Human Identities, the governance problem is no longer theoretical. Programmes that still treat machine access as a back-office control domain are already behind the risk curve.

The category is moving toward unified control planes that combine policy, tracing, and ownership for AI flows. Teams should expect greater pressure to align AI governance with identity lifecycle and PAM processes, especially where agent behaviour touches sensitive systems or regulated data.

For practitioners

• Map all AI data flows end to end Inventory agent-to-agent, agent-to-LLM, agent-to-MCP, MCP-to-API, and MCP-to-data paths so ownership and exposure points are visible before production scale-up.
• Move high-risk controls into policy-as-code Automate redaction, access checks, audit logging, and outbound call restrictions so sensitive data is blocked before it reaches external models or restricted systems.
• Treat shadow AI as an identity governance issue Require approval and lifecycle ownership for every agent, token, and service path that can make or shape runtime decisions, including tools created outside central teams.
• Replace manual review bottlenecks with runtime guardrails Use enforcement points that can block or constrain requests in real time, because human review cannot keep pace with dynamic agent execution.

Key takeaways

• Agentic AI governance fails when organisations treat runtime access and data flow as an afterthought rather than an identity control problem.
• The cited data shows the exposure is already broad, with 86% lacking AI data-flow visibility and 96% viewing AI agents as a security risk.
• Practitioners should move governance into the execution path, because manual review cannot keep pace with agentic behaviour.

Key terms

• Shadow AI: Shadow AI is the use of AI tools, agents, or model connections outside approved governance and security processes. It matters because the activity often creates hidden data flows, unowned access paths, and compliance exposure that traditional software inventories and review cycles do not capture.
• Policy-as-code: Policy-as-code means expressing security and governance rules in machine-enforceable logic instead of relying on manual approval. In AI environments, it can block risky prompts, redact sensitive data, and prevent unsafe tool calls before the request reaches an external model or downstream system.
• Agentic AI governance: Agentic AI governance is the control framework for AI systems that can decide, act, and move data across tools at runtime. It combines identity, access, data handling, and accountability so the organisation can trace and constrain behaviour while preserving delivery speed.
• Runtime guardrail: A runtime guardrail is an enforcement control that acts while an AI system is executing, not after the event. It can inspect context, limit tool use, or stop a transaction in flight, which makes it more effective than retrospective review when agents operate continuously.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Kong: Agentic AI Governance: Managing Shadow AI and Risk for Competitive Advantage. Read the original.