Agentic AI security is converging with data and identity control

At a glance

What this is: This is Cyera’s analysis-led announcement that agentic AI security is becoming a unified data, identity, and runtime control problem, with SACR highlighting the need for continuous governance over AI activity.

Why it matters: It matters because IAM, NHI, and AI governance teams now have to account for systems that can access, chain, and transform data dynamically, not just authenticate once and wait for a request.

By the numbers:

• Early Cyera deployments reduced alert fatigue by over 70%, transforming SOC operations from reactive monitoring to proactive data defense.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Cyera’s analysis of agentic AI security and data-control convergence

Context

Agentic AI security is the problem of governing systems that do not just answer prompts but initiate actions, retrieve data, and chain tasks across applications. That matters because the usual IAM model assumes a request, a policy check, and a bounded session, while these systems can keep moving after the original human intent is gone. For NHI programmes, that creates a control boundary problem rather than a simple visibility gap.

In practice, this is where data classification, identity context, and runtime enforcement begin to overlap. The security question is no longer only who or what authenticated, but what data an AI system could see, which actions it could trigger, and how quickly those decisions can propagate. That is the same structural pressure the Ultimate Guide to NHIs describes for machine identities, now extended into AI behaviour.

Key questions

Q: How should security teams govern AI systems that can access and transform sensitive data at runtime?

A: Start by classifying the AI system by what data it can reach, what tools it can invoke, and whether it can keep acting without fresh human approval. Then connect discovery, policy enforcement, and monitoring so access is checked in the moment, not only at provisioning. Runtime control matters most when the system can chain actions across multiple environments.

Q: Why do agentic AI systems complicate existing IAM and NHI controls?

A: They complicate governance because the actor can change its path during execution. Traditional IAM and NHI controls assume stable entitlements and predictable request patterns, but agentic systems can retrieve new data, invoke new tools, and continue operating beyond the original human intent. That makes behaviour, not just access, the governance unit.

Q: What breaks when AI governance relies only on data classification and discovery?

A: Teams can see where sensitive data lives, but they still cannot stop the system from using it unsafely. Discovery is necessary, yet it does not prevent prompt leakage, unsafe retrieval, or downstream disclosure. Without runtime enforcement, classification becomes a map of risk rather than a control over behaviour.

Q: What is the difference between DSPM and runtime AI control in security programmes?

A: DSPM tells you where sensitive data exists, who owns it, and how it is exposed. Runtime AI control governs what an AI system can do with that data during live execution. The first is a visibility and posture function; the second is an enforcement function that turns governance into action when the system is active.

Technical breakdown

Why agentic AI breaks request-based authorisation

Traditional authorisation assumes a relatively stable subject, a known action, and a decision point before execution. Agentic systems blur all three. They can choose tasks, sequence tool calls, and continue operating without a new human request for each step. That changes the control problem from approving a single action to governing a runtime actor that can create its own next action. In identity terms, the permission boundary is no longer just a policy decision. It becomes a dynamic relationship between data sensitivity, tool access, and the system’s current context.

Practical implication: review which controls still rely on one-time authorisation decisions and identify where runtime checks are now required.

Data security posture management and AI runtime control

DSPM discovers where sensitive data lives and how it is exposed, while runtime control governs how a system uses that data once access exists. On their own, neither is enough for agentic AI. Discovery tells you what is at risk; runtime enforcement tells you whether the system can read, transform, or disclose it in the moment. The convergence matters because agentic systems can pull from multiple sources, combine outputs, and move data into places that static classification never anticipated. That is why data context and action context now have to be treated as one control plane.

Practical implication: connect data discovery to live enforcement so AI access decisions reflect both sensitivity and current behaviour.

Shadow AI and least privilege for autonomous data use

Shadow AI is not just undiscovered software. It is undiscovered decision-making that can access sensitive data outside the controls designed for named applications or human users. Least privilege becomes harder to define when an AI system can expand its own task path through prompts, tools, and retrievals. The main issue is not simply over-permissioning at setup. It is that privilege boundaries can shift during execution as the system discovers new routes to data and action.

Practical implication: classify AI systems by data reach and tool reach, then block ungoverned paths before they become default operating behaviour.

Threat narrative

Attacker objective: The objective is to exploit legitimate AI access paths so sensitive data can be retrieved, recombined, and exposed at machine speed.

1. Entry occurs when an AI system is granted access to enterprise data sources, embedded SaaS models, or internal tools through legitimate identity and policy setup.
2. Escalation occurs when the system chains tasks, retrieves additional datasets, and reuses context in ways that expand the original intended scope.
3. Impact occurs when the system discloses, transforms, or propagates sensitive data into outputs, workflows, or downstream agents without sufficient runtime review.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI security is becoming a control-plane problem, not a point-solution problem. Once AI systems can initiate actions, retrieve data, and chain tasks, no single control can govern the full lifecycle of exposure. DSPM, DLP, identity context, and runtime enforcement have to be read as one design pattern rather than separate product categories. Practitioners should treat this as an operating-model shift, not a feature decision.

Least privilege no longer behaves like a static provisioning property when the actor can choose its own next step. The assumption that access scope is known at setup time was designed for bounded workloads and human-paced use. That assumption weakens when the system can alter the path to data during execution. The implication is that governance must be rethought around observed behaviour, not just granted entitlements.

Runtime AI controls now define the practical boundary between visibility and safety. Visibility without enforcement only tells teams what the system can touch; it does not stop unsafe retrieval, transformation, or disclosure. The market is moving toward adaptive controls because static labels and offline reviews cannot keep up with agentic data movement. Practitioners should expect AI governance to converge with NHI and data governance rather than live beside them.

Agentic data security creates a new governance overlap between human IAM, NHI governance, and autonomous decision-making. The same enterprise may need to govern human access to data, service accounts that move data, and agentic systems that interpret it. That cross-domain pressure is where most current programmes are weakest. Teams should assume the next control failure will happen at the seam between identity, data, and action.

Shadow AI is a lifecycle problem as much as a discovery problem. Discovery finds the system, but lifecycle governance determines who owns it, who can revoke it, and what happens when its access pattern changes. That is the same accountability challenge seen in NHI governance, now multiplied by machine-speed behaviour. Practitioners should view AI discovery as the start of governance, not the end.

From our research:

• 93% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot confidently trace machine access end to end.
• That visibility gap is why 52 NHI Breaches Analysis remains the most useful next stop for teams mapping real failure patterns to governance controls.

What this signals

Agentic AI is forcing identity teams to think in terms of behaviour, not only entitlement. The practical shift is toward control planes that combine discovery, ownership, and live enforcement, because static policy cannot keep pace with systems that can alter their own action sequence after access is granted.

Identity-data convergence debt: when data visibility, identity context, and runtime enforcement are managed separately, the organisation accumulates governance debt that only appears when AI begins to act on sensitive data. Teams that already run NHI lifecycle processes should extend ownership and revocation discipline to AI systems before shadow use becomes normal.

The broader signal is that programme boundaries are dissolving across IAM, NHI, and data security. Teams should prepare for shared inventories, shared revocation paths, and shared incident handling across human users, service accounts, and agentic systems.

For practitioners

• Map AI systems to data reach and action reach Inventory copilots, embedded models, internal agents, and any automation that can read, transform, or move sensitive data. Classify them separately by the data sources they can touch and the tools they can invoke. Use the OWASP NHI Top 10 to pressure-test identity and secret handling around those access paths.
• Tie DSPM outputs to runtime enforcement Do not stop at discovery. Connect classification, lineage, and exposure data to live controls that can block, redact, or warn during retrieval and output generation. The goal is to stop unsafe data use in the moment, not after the fact.
• Treat shadow AI as a governance backlog item Assign ownership, approval, and revocation paths to every discovered AI system, including temporary or embedded agents. Reconcile that inventory with the Ultimate Guide to NHIs so lifecycle decisions cover both machine identities and AI-operated access paths.
• Review controls that assume a stable session boundary Identify policy checks that only work when access is requested once and then reused unchanged. Agentic systems can change context mid-session, so teams need controls that evaluate behaviour after the first grant, not just at login or initial token issuance.

Key takeaways

• Agentic AI security changes the problem from protecting prompts to governing runtime behaviour across data, identity, and action.
• The scale of NHI exposure remains a structural issue, with 93% of organisations exposing NHIs to third parties and only 5.7% seeing their service accounts fully.
• Practitioners need a control model that links discovery to enforcement, or AI governance will remain descriptive rather than preventive.

Key terms

• Agentic AI Security: Agentic AI security is the discipline of governing AI systems that can initiate actions, retrieve data, and chain tasks without a fresh human request for each step. It combines identity, data, and runtime controls so behaviour is managed while the system is active, not only when it is first provisioned.
• Data Security Posture Management: Data Security Posture Management, or DSPM, discovers where sensitive data lives, how it is classified, and where it is exposed. In agentic environments, DSPM is the starting point for control, but it must be paired with runtime enforcement to govern what AI systems do with that data.
• Runtime Enforcement: Runtime enforcement is the act of applying security decisions while a system is actually using data or invoking tools. For agentic AI, that means blocking, redacting, warning, or constraining behaviour in the moment, which is different from post-event review or static policy assignment.
• Shadow AI: Shadow AI is an AI system in an environment that is not fully discovered, approved, or governed by the security programme. The risk is not only unknown software, but unknown data access and unknown decision-making paths that can bypass lifecycle, identity, and data controls.

Deepen your knowledge

Agentic AI security and runtime control are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance into AI-driven systems, it is a practical next step for your team.

This post draws on content published by Cyera: Cyera named a leading platform in the emergence of agentic data and AI security. Read the original.