Agentic AI security exposes the gap between governance and control

At a glance

What this is: This is an analysis of why agentic AI security cannot be treated as the same problem as AI governance, with behaviour-level control emerging as the missing layer.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes will all miss agentic risk if they stop at approval, ownership, and policy alone.

👉 Read Zenity's analysis of why agentic AI security and governance are diverging

Context

Agentic AI security is the discipline of understanding what an AI system is actually doing at runtime, not just whether it was approved. Zenity's central claim is that governance and security diverge once agents can take actions, touch data, and move through business workflows without a human checking each step.

For identity teams, that means the control question changes from who approved the system to what the system is doing right now, what it can reach, and whether its behaviour stays inside the authorised boundary. That is where existing AI governance models stop being sufficient and where identity security, behavioural visibility, and enforcement become operational requirements.

Key questions

Q: How should security teams govern agentic AI without confusing governance with security?

A: Security teams should keep governance and runtime control separate. Governance defines approved use, ownership, and policy. Security must monitor what the agent actually does, what it can reach, and whether behaviour stays inside expected boundaries. If those layers are merged, organisations end up with policy assurance but no operational visibility into risky actions.

Q: Why do AI agents create problems for traditional identity and access management?

A: AI agents create problems because traditional IAM assumes a relatively stable actor that receives access and then uses it within predictable boundaries. Agentic systems can take actions, chain workflows, and change behaviour during execution. That means the real control question becomes behaviour, not just entitlement, and static approval is no longer enough.

Q: What breaks when organisations rely on AI governance alone?

A: What breaks is the assumption that policy approval proves safe operation. Governance can confirm that an AI system is allowed to exist, but it cannot show what the system is doing in real time, whether it touched sensitive resources, or whether it attempted a risky action. Without runtime security, risk remains invisible until damage occurs.

Q: How do teams measure whether agentic AI controls are actually working?

A: Teams should measure whether they can see agent actions, detect behaviour changes, and stop unsafe workflows before they complete. If the programme only reports approved systems and documented policies, it is measuring governance maturity, not security effectiveness. Effective control produces runtime evidence, not just policy compliance.

Technical breakdown

Why governance cannot observe agent behaviour

Governance operates through inventories, policies, approvals, and ownership models. Those mechanisms answer whether an AI system is permitted to exist and under what conditions it should be used. They do not provide runtime visibility into the actions an agent takes, the data it touches, or the workflows it starts. Once an agent can interact with many systems in sequence, the governance record and the operational reality can diverge. The security problem is not absence of policy. It is the lack of behavioural telemetry that shows when the agent is moving outside the approved envelope.

Practical implication: pair governance records with runtime activity monitoring so approvals do not become blind spots.

Agentic AI identity needs control over actions, not just access

In agentic environments, access is only the starting point. The more relevant questions are which actions the agent can initiate, which resources it can combine, and whether a policy engine can stop an unsafe sequence before it completes. That moves the problem from static authorisation to behavioural enforcement. Traditional identity models assume a bounded actor receiving requests. Agentic systems can initiate, chain, and adapt actions during execution, which means the control plane has to evaluate intent, context, and downstream effect, not just entitlement.

Practical implication: define enforcement boundaries around agent actions, not only around the accounts or tokens they use.

The visibility gap is the real agentic AI security problem

The central failure mode is not that organisations lack AI policy. It is that they cannot consistently see when an agent changes behaviour, accesses sensitive systems unexpectedly, or attempts an action that falls outside its intended use. That creates a visibility gap between policy and execution. In identity terms, the agent is treated as authorised at design time, while its runtime behaviour may become the actual risk. This is why agentic AI security must be treated as a live control problem rather than a governance paperwork problem.

Practical implication: create investigation and stop controls for agent behaviour changes before those changes become business-impacting incidents.

NHI Mgmt Group analysis

Governance and security are different identity problems once an AI system can act. Governance answers who approved the agent, what policy applies, and who owns accountability. Security answers what the agent is doing at runtime, what it is reaching, and whether its behaviour is drifting beyond intent. That distinction becomes decisive when an AI system can execute workflows rather than merely generate outputs. Practitioners should treat approval as a starting condition, not evidence of safe behaviour.

Behavioural visibility is the missing control plane for agentic AI. A policy document cannot explain why an agent accessed a sensitive dataset, modified a record, or initiated an unexpected workflow. Those are runtime questions, and they require telemetry, context, and enforcement. The identity discipline here is closer to continuous observation of machine action than periodic governance review. Practitioners should recognise that visibility failures are control failures, not documentation gaps.

Agentic AI creates a new version of the access-review problem. Access review assumes the actor's permissions and usage patterns are stable enough to be inspected after the fact. That assumption weakens when the actor can change behaviour mid-session and chain actions across systems. The implication is that governance cadences alone cannot prove safe use. Practitioners should rethink the timing, evidence model, and scope of review for autonomous actors.

Agentic AI security will converge with broader NHI and identity governance practice. Once agents operate like non-human identities with action authority, the same governance questions recur across workload identity, service accounts, and autonomous systems: what is allowed, what is actually happening, and what should stop it. This is where cross-domain identity governance becomes more valuable than isolated AI policy. Practitioners should align AI agent controls with the wider identity programme rather than building a separate silo.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
• For the governance side of the problem, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs for the lifecycle controls that need to extend into agentic estates.

What this signals

Agentic AI will force identity teams to operationalise behaviour monitoring, not just policy oversight. The governance record will remain necessary, but it will no longer be sufficient evidence that an AI system is safe to run. Teams that already manage workload identity and secrets lifecycles are best placed to extend those controls into agent action visibility.

The category is moving toward a hybrid model where AI policy, identity telemetry, and enforcement have to work together. That is why agentic AI security will increasingly sit alongside NHI governance in the same operating model, rather than inside a standalone AI policy function. Teams should expect audit questions to shift from approval status to runtime evidence.

Identity blast radius: once an agent can move across applications, the relevant unit of risk is no longer the model itself but the span of systems it can touch. With 72% of organisations already reporting or suspecting NHI breaches in our research, the gap between governed access and controlled behaviour is now a practical risk factor, not a theoretical one.

For practitioners

• Define runtime behavioural boundaries Specify which actions an agent may initiate, which systems it may touch, and which sequences must be blocked even if access is otherwise approved. Use those boundaries as operational controls, not as policy language only.
• Separate approval from enforcement Keep governance approval, ownership, and acceptable-use policy in one track, but add separate enforcement controls that can observe and stop risky agent activity while a session is active.
• Instrument agent activity for investigation Log the systems, data, and workflow steps an agent touches so security teams can investigate changes in behaviour instead of relying on static approvals as evidence of safety.
• Map agent controls into the identity programme Treat agentic AI as part of the wider identity estate, alongside workloads and service identities, so review, escalation, and containment processes are consistent across actor types.

Key takeaways

• Agentic AI exposes a structural gap between governance and security because approval does not reveal runtime behaviour.
• The control problem shifts from who authorised the system to what the system is doing, what it can reach, and whether it can be stopped.
• Identity programmes should extend visibility and enforcement into agent action, not rely on policy artefacts as proof of safe use.

Key terms

• Agentic AI governance: The set of ownership, policy, approval, and accountability processes used to decide how AI agents may be deployed. It establishes who is responsible and what is allowed, but it does not by itself prove what the agent is doing at runtime or whether its behaviour is safe.
• Agentic AI security: The operational control of what an AI agent actually does, what systems it reaches, and whether its runtime behaviour stays within acceptable boundaries. It relies on telemetry, detection, and enforcement rather than policy alone, because behaviour can diverge from approval once the agent starts acting.
• Runtime enforcement: Controls that observe and stop an identity while it is active, rather than reviewing it only after the fact. In agentic environments, runtime enforcement is the mechanism that turns policy into action when an agent attempts a risky workflow, data access, or system change.
• Behavioural telemetry: The evidence stream that shows how an identity behaves over time, including the systems it touches, the actions it takes, and when its pattern changes. For agentic AI, behavioural telemetry is essential because static approval records cannot explain dynamic execution paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zenity: Governance and Security Are Different Problems, Agentic AI Is Exposing the Gap Between Them. Read the original.