TL;DR: Agentic AI pushes business logic from static applications into runtime decision-making, which in turn breaks identity governance and segregation-of-duties models built on periodic enforcement, according to Saviynt. The governance failure is not just slower tooling, but an assumption that access can be reviewed after the fact when decisions are now made in context and at execution time.
At a glance
What this is: This is an analysis of how agentic AI changes enterprise software architecture and exposes a runtime governance gap in identity control.
Why it matters: It matters because IAM, IGA, and PAM programmes must now govern decisions made during execution, not just entitlements assigned ahead of time.
By the numbers:
- Only 34% of organizations are truly reimagining their businesses around AI.
- The 2026 State of AI report found that only 34% of organizations are truly reimagining their businesses around AI.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Saviynt's analysis of how agentic AI reshapes enterprise software
Context
Agentic AI changes enterprise software by moving decisions from predefined application logic into runtime. In identity terms, that shifts the control point from provisioning and periodic review to execution-time governance, which is where most IGA models are weakest.
Saviynt argues that this matters because identity governance and segregation of duties were built for systems that enforce rules after changes are recorded. When logic moves into the moment of action, the older model leaves a gap between what policy says should happen and what the system is actually deciding.
Key questions
Q: How should security teams govern agentic AI beyond traditional IAM controls?
A: Security teams should govern agentic AI at the point of execution, not only at the point of access assignment. That means defining allowable decision paths, logging runtime context, and tying exceptions to accountable owners. Traditional IAM remains necessary, but it is not enough when the system can adapt its own workflow during the task.
Q: Why do agentic AI systems break segregation of duties models?
A: They break SoD models because the conflict can be created and consumed inside one runtime sequence. A control that checks access after provisioning may never see the prohibited combination if the system finishes the task before review. SoD for agentic systems has to govern sequences and decisions, not just static permissions.
Q: How do you know if runtime governance for AI is actually working?
A: Look for whether decisions are captured with context, whether exceptions are traceable to a named owner, and whether blocked actions are prevented before execution completes. If policy only appears in audit reports after the fact, the control is documenting behaviour rather than governing it.
Q: What is the difference between agentic AI governance and traditional workflow automation?
A: Traditional workflow automation follows predefined rules and fixed paths, while agentic AI makes runtime decisions based on context and may change the path as it executes. Governance therefore shifts from validating a scripted process to constraining live decision-making, which requires stronger identity, policy, and telemetry integration.
Technical breakdown
Runtime decision-making and identity governance
Traditional enterprise applications encode business logic in advance, so access, approvals, and exceptions are all based on conditions known before execution. Agentic AI changes that model by evaluating context during the task itself, which means identity controls must operate at the same speed as the decision. That alters how governance works because the relevant security event is no longer just entitlement assignment. It is also the moment the system chooses a path, invokes a tool, or escalates an action based on live context. The IGA problem becomes one of governing runtime behaviour rather than only governing static access state.
Practical implication: teams need governance signals that observe decisions as they happen, not only after access changes are synced.
Segregation of duties in an agentic workflow
Segregation of duties has usually assumed that conflicts can be detected from stable role assignments and delayed updates. In agentic workflows, the conflict can emerge inside the action sequence itself, when an agent combines steps that would be separated in a human-driven process. That makes SoD less about stored entitlements and more about allowable decision paths. The architecture challenge is that the policy engine must understand not just who has access, but what sequence of actions is being assembled at runtime and whether that sequence crosses a governance boundary.
Practical implication: model SoD around permitted action sequences and exception handling, not only role membership.
Outcome-based work replaces application-centric workflow
The article describes a shift from tool-centric enterprise software to outcome-centric execution. Instead of humans moving work through fixed systems, the machine interprets intent, chooses the next step, and adapts the flow as conditions change. That reduces the value of some intermediary application layers, but it also increases the importance of identity guardrails, accountability logs, and explicit constraints on what the system may do. In practice, this is where identity becomes part of the execution fabric, not just the login layer.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Runtime governance gap: the core problem is not that AI makes enterprise software faster, but that identity governance was built for deferred enforcement. Access review, segregation of duties, and exception handling all assume that the relevant state exists long enough to be observed and certified. When logic moves to runtime, the control plane must see decisions as they are made. Practitioners should treat this as a governance architecture mismatch, not a policy tuning issue.
Identity controls built for static entitlements do not fully describe agentic behaviour. A role or permission set says what an identity may do on paper, but agentic systems combine context, sequence, and timing inside execution. That means the security question is no longer only who holds access, but which decision paths are possible at runtime. The implication is that IGA programmes will need to account for action chains, not just access assignments.
Segregation of duties was designed for conditions where conflicting access can be detected after the fact. That assumption fails when the actor evaluates and executes within the same runtime window, because the conflict can be created and consumed before a review cycle ever sees it. The implication is that SoD logic must be rethought as pre-execution control over permitted behaviours, not as periodic reconciliation of records.
What this signals for the market is a shift from application security tooling toward execution governance. The competitive centre of gravity is moving from managing software features to controlling how work is carried out by autonomous or semi-autonomous systems. That validates identity as the control layer, but it also complicates older IAM operating models that assume systems are passive until a person acts on them. Practitioners should expect greater pressure to unify identity, policy, and runtime telemetry.
Agentic AI will expose which identity programmes still treat governance as a back-office process. When business logic runs in context, the identity team is no longer auditing the edge of the system. It is helping define what the system may decide, when it may decide it, and how exceptions are recorded. The practical conclusion is that governance, architecture, and operations now have to be designed together.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- For a broader identity baseline, 52 NHI Breaches Analysis shows how weak visibility and standing access turn credential gaps into repeat incidents.
What this signals
Runtime governance gap: enterprise IAM programmes should expect more controls to fail at execution time rather than at provisioning time. The practical shift is toward policy decisions that are evaluated in context, with identity telemetry tied directly to the action path and exception record.
The governance question is no longer whether AI can help automate work. It is whether the programme can still prove who or what made the decision, on what basis, and under which constraints. That makes runtime observability a prerequisite for agentic adoption, not an optional enhancement.
If your identity architecture still assumes review cycles will catch risk after the fact, the operating model is already behind. The more work moves into live decision-making, the more identity becomes part of the execution layer and the more important it is to align controls with actual behaviour.
For practitioners
- Map runtime decision points Identify where agentic systems make choices, invoke tools, or escalate actions during execution. Tie each decision point to a control owner and a logging requirement so governance is attached to the action path, not only the entitlement record.
- Rework segregation of duties for action sequences Review SoD rules for conflicts that appear across multi-step workflows, especially where an agent can assemble a complete business process without human interruption. Define blocked sequences, not just blocked roles.
- Align IGA with execution telemetry Feed approval, exception, and context data into identity governance so certification is informed by what the system actually did at runtime. Without execution telemetry, policy review remains disconnected from the real control surface.
- Separate assistive AI from autonomous execution Classify AI use cases by whether the system can decide, select tools, and execute without approval gates. Only the cases that meet that threshold should be governed as autonomous behaviour rather than as conventional automation.
Key takeaways
- Agentic AI shifts the control problem from static access management to runtime decision governance.
- Segregation of duties weakens when conflicting actions can be assembled and completed within one execution sequence.
- Identity programmes that cannot observe decisions in context will struggle to govern AI-driven enterprise workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic runtime decisions and tool use are central to the article's risk model. | |
| NIST AI RMF | The article focuses on governance, accountability, and contextual decision-making for AI. | |
| NIST CSF 2.0 | PR.AC-4 | Identity access and least-privilege control remain foundational as AI takes over execution logic. |
Map agent actions and decision boundaries against agentic AI controls before granting execution authority.
Key terms
- Runtime Governance: Runtime governance is the set of controls that evaluate and constrain decisions while a system is executing work. In agentic environments, it matters because access, context, and action can change inside a single task, so governance must observe behaviour as it happens, not only after entitlements are recorded.
- Segregation of Duties: Segregation of duties separates incompatible actions so no single identity can complete a high-risk process end to end without oversight. In agentic workflows, the control must account for action sequences and runtime decisions, because a system can assemble the conflict dynamically even when role assignments look clean on paper.
- Agentic AI: Agentic AI is AI that can decide what to do next during execution rather than only responding to fixed instructions. For identity teams, that means the security model must cover tool use, timing, context, and accountability, because the system is no longer just a passive consumer of permissions.
- Outcome-Based Workflow: An outcome-based workflow is designed around the result the business wants, not around a fixed application path. In identity terms, this shifts governance away from prebuilt screens and approval chains toward policies, guardrails, and traceable decisions that can adapt as the task unfolds.
What's in the full article
Saviynt's full blog post covers the operational detail this post intentionally leaves for the source:
- How the article frames the move from human-mediated workflows to outcome-based execution across enterprise software
- The specific identity governance and segregation-of-duties example used to illustrate runtime control failure
- The role descriptions that may change as AI takes over more of the decision logic inside business applications
- The additional quotes and references the author uses to support the shift from application-centric to agent-centric software
👉 Saviynt's full post expands the runtime governance argument and the enterprise workflow examples.
Deepen your knowledge
Agentic AI governance and runtime identity controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning IAM for systems that decide during execution, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
