AI agent governance belongs on the CISO agenda at Innovate Scottsdale

At a glance

What this is: This is an event listing for GitGuardian’s presence at Innovate Scottsdale 2026, with a focus on secrets security, NHI governance, and developer workflow integration.

Why it matters: It matters because practitioner teams are being pushed to govern non-human identities and secrets across development and production at the same time.

By the numbers:

• The Innovate Cybersecurity Summit runs from Oct 05, 2026 to Oct 07, 2026 in Scottsdale, AZ, USA.

👉 Register for GitGuardian's Innovate Scottsdale 2026 event page

Context

AI agent governance is becoming a practical security issue because autonomous systems inherit access, use secrets, and interact with tools in ways that traditional IAM processes were not built to supervise. GitGuardian’s event listing places secrets across development environments, non-human identities in cloud-native and hybrid architectures, and security in developer workflows at the centre of the conversation for Innovate Scottsdale 2026.

The important point for practitioners is not the venue or the networking format. It is that the operational boundary between secrets management, NHI governance, and developer productivity is now thin enough that teams need shared controls, shared ownership, and clearer escalation paths. That framing is typical of mature programmes, but the breadth of topics suggests many organisations are still working through basic alignment.

The mention of an upcoming AI framework in the page title signals where the market is heading: from isolated secrets handling toward policy-driven guardrails for agentic systems, with governance questions moving closer to the CISO and architecture functions.

Key questions

Q: How should security teams govern AI agents that can access enterprise systems

A: Start by treating every AI agent as a non-human identity with a defined owner, scope, and expiry. Then require least privilege, step-up approval for sensitive actions, and logs that show which tools the agent used. If an agent can reach production systems, governance must be enforced at runtime, not just documented in policy.

Q: What is the difference between secrets management and NHI governance

A: Secrets management focuses on protecting and rotating credentials such as tokens, keys, and certificates. NHI governance is broader because it also covers identity lifecycle, ownership, access reviews, and the permissions attached to those credentials. In practice, teams need both. A well-managed secret can still create excessive access if the identity behind it is poorly governed.

Q: When do AI agent guardrails become necessary instead of optional

A: They become necessary when an agent can read data, call tools, or make changes without direct human oversight. At that point, the risk is not just model error but unauthorized execution. Guardrails are necessary whenever an agent can touch production, sensitive data, or privileged workflows, because the blast radius is no longer theoretical.

Q: Should organisations prioritise secret rotation or access review first

A: They should do both, but access review should come first when unknown or over-privileged identities already exist. Rotation reduces exposure window, but review reduces entitlement sprawl and clarifies ownership. If a team rotates secrets without fixing who can use them, it preserves the same risk pattern with a fresher credential.

Background and context

Why AI agent governance depends on secrets hygiene

AI agents, service accounts, API keys, and tokens all sit in the same operational trust chain. If a workflow can read a secret, it can often call downstream systems without further human approval, which means exposure is not just about leakage. It is about unintended execution authority. In cloud-native environments, that authority can expand quickly through CI/CD, orchestration layers, and integrations that were designed for automation first and least privilege second. The practical challenge is to treat secrets as live access instruments, not static configuration.

Practical implication: inventory every secret that can authorize agent actions and tie it to an owner, purpose, and expiry.

How NHI governance changes in hybrid and developer-centric environments

Non-human identity governance becomes harder when the same credential can exist in build pipelines, production services, and collaboration tooling. Hybrid estates create fragmented visibility, while developer workflows encourage rapid creation of tokens and credentials to remove friction. That combination produces shadow access, weak lifecycle controls, and unclear accountability when an agent or workload behaves outside its intended scope. Effective governance therefore needs identity lifecycle controls, access reviews, and rotation policies that work across platforms rather than inside one tool boundary.

Practical implication: unify lifecycle and review processes across build, runtime, and production identities.

What guardrails matter most for agentic AI security

The phrase agentic AI guardrails should be understood as operational policy, not a slogan. Guardrails include permission scoping, step-up approval for sensitive actions, logging that can reconstruct tool use, and boundaries around where an agent can read or write data. In practice, that also means mapping AI agent behaviour to existing IAM and PAM expectations, then extending those controls to cover autonomous execution paths. Without that, governance becomes reactive incident response instead of preventive control design.

Practical implication: define explicit approval and logging requirements before agents receive production access.

NHI Mgmt Group analysis

AI agent governance is becoming an identity problem before it becomes an AI problem. Once an autonomous system can use secrets, tokens, or service accounts, it inherits the same trust assumptions that govern NHI sprawl. That shifts the centre of gravity from model oversight alone to entitlement design, lifecycle management, and review discipline. Practitioners should treat agent permissions as a governance object, not a feature toggle.

Secrets management and NHI governance are converging into a single control plane. The event topics reflect a reality many programmes still separate operationally, even though the failure modes overlap. A leaked token, an overbroad service account, and an over-privileged agent all create the same outcome: unauthorized execution at machine speed. Security teams should align these controls rather than run them as disconnected efforts.

Agentic AI guardrails only work when they are enforceable at runtime. Policy written after deployment rarely constrains autonomous behaviour in a useful way. The useful guardrails are those that can deny, delay, log, or require approval when an agent crosses a defined threshold. Practitioners should measure control maturity by whether the guardrail changes the agent’s action, not by whether the policy exists on paper.

Identity blast radius is the right concept for this phase of the market. The issue is no longer simply how many identities exist, but how far any one identity can move once compromised or misused. That is why teams need to combine secret rotation, least privilege, and access review into a single risk-reduction model. The practitioner takeaway is simple: reduce the blast radius before expanding agent autonomy.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap makes the next control question operational, not theoretical, which is why OWASP Agentic Applications Top 10 is the right forward-looking reference for teams tightening agent guardrails.

What this signals

Identity blast radius is the control problem that now matters most for agentic systems. As AI agents inherit credentials and tool access, the question is not whether they can act, but how far they can move if those privileges are abused. Teams should prepare for governance models that combine runtime policy, secret lifecycle, and action-level logging rather than treating them as separate workstreams.

The governance pressure is already visible in the adoption numbers: 98% of companies plan to deploy even more AI agents within the next 12 months, according to AI Agents: The New Attack Surface report. That pace means control design has to keep up with deployment, not trail it. Practitioners should expect audit, legal, and executive scrutiny to increase once agent behaviour crosses business workflows.

For teams building a programme now, the useful next step is to align agent access decisions with policy frameworks that can survive scale. The most resilient programmes will use least privilege, explicit ownership, and enforceable guardrails to reduce machine-speed risk before it spreads across development and production. That is the practical interpretation of mature NHI governance.

For practitioners

• Map agent access paths end to end Identify every secret, token, certificate, and service account that could authorize AI or automation workflows, including those embedded in CI/CD and developer tooling.
• Unify lifecycle controls across build and runtime Require ownership, expiry, and review for non-human identities used in development, testing, and production so that the same credential is not governed differently by environment.
• Set runtime approval rules for sensitive actions Define which agent actions need step-up approval, especially data export, privilege changes, and production writes, and log those actions in a form that supports investigation.
• Tie developer workflow security to NHI policy Bring platform engineering, IAM, and security architecture together so that developer convenience does not bypass policy for machine identities or secret distribution.

Key takeaways

• AI agent governance is now an NHI and secrets problem as much as an AI problem.
• The main risk is uncontrolled machine execution authority, not just credential leakage.
• Security teams should define runtime guardrails, ownership, and lifecycle controls before agent autonomy expands.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital entity that acts on behalf of a system, workload, or automation process. It includes service accounts, API keys, tokens, certificates, bots, and AI agents. Governance matters because these identities can move faster and farther than human accounts.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised or misused identity can cause before controls stop it. In NHI environments, blast radius depends on permissions, reach across systems, and how quickly the credential can be revoked or rotated. Smaller blast radius means lower operational risk.
• Agentic AI Guardrails: Agentic AI guardrails are the operational rules that constrain what an autonomous AI system can do. They include permission limits, approval gates, monitoring, and logging. Effective guardrails are enforced at runtime so they can prevent or slow unsafe actions rather than only describe policy.

What to expect at the briefing

GitGuardian's full event page covers the practical meeting format and attendee focus this post intentionally leaves for the source:

• Booth #111 meeting context for CISOs and senior security leaders who want to discuss active programmes rather than broad theory
• Event framing around secure developer workflows, with emphasis on how security fits into day-to-day engineering processes
• Positioning for organisations working across cloud-native and hybrid architectures where NHI governance is already operationally relevant
• Details on the summit's curated, invitation-only format for executive-level networking and peer benchmarking

👉 GitGuardian's full event page covers booth details, audience fit, and the security topics they expect to discuss in Scottsdale.

Deepen your knowledge

AI agent governance, secrets lifecycle, and NHI ownership are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is moving from isolated controls to a governed operational model, it is worth exploring.