By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: EventsSource: Zenity

TL;DR: AI agents are increasingly a governance problem at the decision layer, with the AI Summit on August 4 highlighting how agents can reach corporate data, actions, triggers, and other systems across SaaS, cloud, and endpoints, according to Zenity. The practical takeaway is that agent security now has to assume runtime decision-making, not just credential management.


At a glance

What this is: This is a Black Hat USA 2026 event promotion focused on AI agent governance, with a core claim that agents must be secured at the decision level because they can act across data, tools, applications, and triggers.

Why it matters: It matters because IAM, NHI, and emerging agentic governance programmes now have to control what an AI agent decides to do, not only what it can authenticate to.

👉 Read Zenity's Black Hat USA 2026 briefing on AI agent decision-level security


Context

AI agent governance is the problem space here, not the event itself. The source argues that agents are already embedded across SaaS, cloud, and endpoint environments, and that their security risk comes from decision-making connected to data, actions, other agents, applications, and triggers.

For identity teams, that shifts the question from static entitlement review to runtime control of autonomous or semi-autonomous behaviour. The relevant governance challenge is deciding how to constrain agent actions, trace agent decisions, and prevent a delegated identity from taking the wrong path once execution begins.


Key questions

Q: How should security teams govern AI agents that can make runtime decisions?

A: Security teams should govern AI agents at the decision layer by defining where the agent can act, what it can choose, and which downstream tools require policy checks before execution. The goal is to constrain runtime behaviour, not just authenticate the agent. Inventory the agent, its actions, and its triggers together so governance follows the workflow.

Q: What breaks when AI agents are treated like ordinary service accounts?

A: Treating AI agents like ordinary service accounts breaks because the agent can adapt its next move, chain actions, and interact with multiple systems in a single workflow. A service account model assumes fixed purpose and predictable execution. Agentic systems need action-level control, traceability, and containment around downstream effects.

Q: Why do AI agents complicate least-privilege design?

A: AI agents complicate least-privilege design because their intent is not always known upfront and their execution path can change during runtime. Least privilege becomes harder to define when the same identity may choose different tools or workflows depending on context. Practitioners need runtime constraints that limit decisions, not only entitlements.

Q: Who is accountable when an AI agent triggers an unintended action?

A: Accountability should sit with the team that approved the agent's operating scope, policy, and connected systems, because the agent acted within a delegated governance model. Organisations need clear ownership for the agent identity, its approval path, and its monitored execution surface. Without that, incident response becomes a debate over ownership instead of containment.


Background and context

Decision-level control for AI agents

Decision-level control means governing the point where an agent chooses an action, not just where it authenticates. In agentic systems, the risky moment is often after access has already been granted, when the agent selects a tool, combines context from multiple sources, and decides what to do next. That is different from conventional NHI use, where a service account typically performs a narrower, more deterministic function. When agents can interact with corporate data, applications, and triggers, the control problem shifts to runtime authorization, decision logging, and action scoping. Identity teams need to treat the decision as the security boundary, not merely the session.

Practical implication: Map every high-risk agent workflow to a decision checkpoint and require explicit policy enforcement before tool use.

AI agent identity across SaaS, cloud, and endpoint environments

The article frames agents as spanning SaaS, homegrown cloud platforms, and end-user devices, which means their identity posture cannot be managed in one control plane alone. An agent may be granted one identity, execute through another, and touch data in several systems before a human ever sees the result. That creates a governance problem that sits between IAM, NHI, and endpoint controls. For practitioners, the architecture question is whether the enterprise can trace which agent identity acted, which system approved the action, and which data or workflow was affected. Without that linkage, auditability breaks down quickly.

Practical implication: Create a single inventory of agent identities, their execution surfaces, and the systems they can touch.

Defense in depth for agent-to-agent and trigger-based execution

The source emphasizes that agents connect to other agents, applications, and triggers, which increases the chance of chained execution. Once an agent can hand work to another agent or fire a trigger, the blast radius is no longer confined to the initial request. This is where classic least-privilege assumptions weaken, because the real risk is not only direct access, but delegated follow-on action. In agentic environments, defense in depth has to include approval boundaries, action constraints, and containment around recursive or triggered workflows. Otherwise, a small decision can become an outsized sequence of machine-driven actions.

Practical implication: Review chained agent workflows for uncontrolled trigger paths before allowing production access.


NHI Mgmt Group analysis

Decision-level governance is now the right security boundary for AI agents. The source is not really about event logistics. It is about the fact that agent behaviour is defined by runtime decisions that can fan out across data, tools, and workflows. Traditional entitlement management is still necessary, but it is no longer sufficient when the risky act is the choice itself rather than the permission alone. Practitioners should treat the decision point as the unit of governance.

Least privilege for agents is an assumption, not a control outcome, unless decision scope is constrained at runtime. Static access models presume the actor's intent is knowable when access is granted. That assumption fails when an agent can chain actions, route through multiple systems, and adapt its next step based on context. The implication is that identity programmes must rethink how privilege is defined for behaviours that are not fixed in advance.

AI agents collapse the boundary between identity, workflow, and execution. The article's emphasis on SaaS, cloud, and endpoint coverage shows that agent governance cannot be treated as a point product problem. Once an identity can initiate actions across business systems, the governance model has to follow the action path rather than the login path. Practitioners should align controls to execution pathways, not just account inventories.

Runtime visibility matters more than post-event review for agentic systems. If an agent has already made a harmful decision, the audit trail may explain what happened but not prevent recurrence. That makes logging necessary but insufficient. Security teams need controls that can interrupt, constrain, or redirect a decision before downstream actions complete.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why governance assumptions break down once real workflows hit production.
  • For a deeper identity lens, see the Ultimate Guide to NHIs for lifecycle, visibility, rotation, and offboarding patterns that underpin machine and agent governance.

What this signals

Decision-level governance will become a standard design requirement for teams that already manage secrets, workload identity, and privileged automation. As agentic systems spread, the governance question will shift from who authenticated to what the agent was allowed to decide, and that is a different control conversation entirely.

With only 44% of developers following security best practices for secrets management, identity teams should expect agent governance to fail where engineering habits remain informal. The practical response is to connect policy, inventory, and execution telemetry so that agent actions can be constrained before they propagate.

Practitioners should also watch how agent workflows map to existing identity lifecycle processes, especially when human approvals, service credentials, and automated triggers overlap. The organisations that get ahead will be the ones that treat agent decisions as governed events, not invisible side effects.


For practitioners

  • Inventory every AI agent identity and execution surface Document which agents operate in SaaS, cloud, and endpoint environments, then map each one to the data sources, applications, and triggers it can reach.
  • Define decision checkpoints for high-risk agent actions Require policy enforcement before an agent can call tools, trigger downstream workflows, or hand tasks to another agent.
  • Restrict chained and recursive agent workflows Review whether one agent can trigger another without human oversight, then block paths that can create uncontrolled follow-on execution.
  • Align audit trails to agent decisions, not just logins Record the action chosen, the context used, the downstream systems touched, and the policy that allowed execution.

Key takeaways

  • AI agent risk is increasingly about runtime decisions, not just access grants.
  • Security teams need governance that follows agent execution across SaaS, cloud, and endpoint surfaces.
  • Without decision-level controls, chained agent actions can expand the blast radius faster than conventional IAM processes can react.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AGENT-03The article centers on runtime agent decisions and tool use.
NIST AI RMFAI governance and accountability apply to agentic decision-making.
NIST CSF 2.0PR.AC-4The post focuses on controlling access and action paths for agents.

Constrain agent tool use with policy checks before execution and before downstream chaining.


Key terms

  • Decision-level governance: Decision-level governance is the practice of controlling what an AI agent is allowed to choose at runtime, not just what it can log into. It focuses on the action boundary, including tool use, trigger execution, and downstream workflow chaining, so security policy constrains behaviour before impact occurs.
  • Agent identity: Agent identity is the non-human identity used by an AI agent to authenticate and act across systems. It can span SaaS, cloud, and endpoint environments, which means governance must track both the credential and the decisions made under that credential.
  • Execution surface: An execution surface is any system or environment where an identity can actually do work, such as an application, trigger, endpoint, or API. For AI agents, execution surfaces matter because risk appears where action is taken, not only where authentication occurs.
  • Chained workflow: A chained workflow is a sequence where one automated or agentic action triggers another, expanding the blast radius beyond the original request. In agent governance, chained workflows are high risk because a single decision can propagate across multiple systems without fresh human review.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zenity: Black Hat USA 2026 AI agent governance and event briefing. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org