AI agent governance for CNAPP still depends on human review

At a glance

What this is: Orca Security frames AI agents as cloud-native security helpers that combine context, reasoning, memory, and action to speed investigation and remediation across CNAPP workflows.

Why it matters: IAM teams should read this as a governance problem, not a feature story, because AI-driven action changes how cloud identities, approvals, and accountability have to be controlled across NHI, autonomous, and human-operated workflows.

By the numbers:

• Gartner research shows that there’s been a 60% increase in organizational spending on global security and risk management since 2020.
• Omdia confirms this in The State of Cloud Security: Navigating Security Offerings From Cloud Service Providers and Security Vendors with 45% of organizations having experienced four or more security incidents in their cloud environment in the last 12 months.

👉 Read Orca Security's analysis of AI agents for CNAPP and cloud-native apps

Context

AI agents in CNAPP are being positioned as decision helpers that can gather context, explain findings, and trigger remediation workflows across cloud-native environments. The identity question is straightforward: once a system can move from observation to action, the control model is no longer just about visibility, it becomes about who or what is allowed to initiate security work.

This matters because cloud security programmes already struggle with fragmented context across cloud control planes, identity systems, code, and telemetry. Orca Security’s framing shows the direction of travel, but the deeper issue is governance: the more the platform can act, the more carefully teams must define approval boundaries, auditability, and human override paths for the identities involved.

For practitioners, this is not a narrow CNAPP feature discussion. It is part of the broader shift from static security tooling to identity-aware operational systems, where service accounts, workflows, and AI-driven assistants all touch the same remediation path.

Key questions

Q: How should security teams govern AI agents that can trigger remediation workflows?

A: Security teams should separate advisory output from execution authority, then require explicit approval for any workflow that changes state. The agent can summarise risk and recommend action, but the right to create, close, suppress, or remediate should be controlled like any other privileged non-human identity. That boundary should be logged and reviewable.

Q: Why do AI agents complicate cloud identity governance?

A: AI agents complicate governance because they turn identity from a static permission holder into an operational decision-maker. Once an agent can reason over cloud data and act through integrations, IAM must govern not only access, but also the conditions under which that access can be used to change systems or initiate work.

Q: What breaks when cloud security automation lacks unified identity context?

A: Automation breaks when the system cannot reliably connect workload state, identity permissions, and alert evidence to the same asset or actor. In that situation, triage decisions become partial, suppression becomes risky, and remediation can target the wrong object. The result is faster movement with less confidence, which is operationally worse than slower review.

Q: Should organisations keep humans in the loop for AI-driven remediation?

A: Yes, until the organisation can prove that the agent’s reasoning, scope, and downstream effects are fully auditable and reversible. Human review is still the safest control where agent outputs can trigger system change, because accountability for a machine-delegated action still has to land somewhere the business can govern.

Technical breakdown

Unified data models and cloud identity context

Agentic security systems are only as reliable as the context they can assemble. In CNAPP, that context spans cloud control plane data, identity and access information, repository and CI/CD signals, network telemetry, and threat intelligence. A unified data model normalises those sources so the agent can correlate exposure, privilege, workload state, and asset relationships before deciding whether an alert is worth action. Without that linkage, the system may still produce outputs, but they are not grounded enough for trustworthy security operations. Practical implication: verify that identity data, workload metadata, and security telemetry resolve to the same entity before allowing any automated triage path.

Practical implication: verify that identity data, workload metadata, and security telemetry resolve to the same entity before allowing any automated triage path.

Reasoning, memory, and action in agentic CNAPP

Orca’s model separates reasoning, memory, and action. Reasoning is the ability to explain why a finding matters, memory is the ability to reuse prior feedback and past decisions, and action is the ability to initiate workflows through SIEM, SOAR, or ticketing integrations. That architecture matters because each step increases operational influence. A system that only explains a finding is advisory. A system that can also create tickets, suppress alerts, or trigger remediations is operating inside the control plane of the organisation. The governance challenge is therefore less about analytics quality and more about the permitted boundary between recommendation and execution. Practical implication: treat action permissions as a separate control surface from analytic access.

Practical implication: treat action permissions as a separate control surface from analytic access.

Transparency and human-in-the-loop control

The vendor explicitly says its agents start by recommending action with transparent reasoning, while a human remains in the loop before moving toward more autonomous behaviour. That is a meaningful design choice because it acknowledges a classic identity governance issue: recommendations are easy to absorb into process, but execution rights change accountability. In practice, the trust model must show what the agent saw, what it concluded, and who approved the next step. Otherwise, a human review step becomes ceremonial rather than control-bearing. Practical implication: require explainability artifacts and approval logging before any remediation workflow can close automatically.

Practical implication: require explainability artifacts and approval logging before any remediation workflow can close automatically.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agents for CNAPP are not just faster analysts, they are identity-bearing operators. Once an agent can investigate alerts, prioritise risk, and initiate tickets or remediation workflows, it begins to occupy an operational role that traditional IAM and cloud security models were not designed to govern. That shifts the problem from tool adoption to delegated authority. Practitioners should treat the agent as a governed non-human actor with defined scope, approvals, and auditability.

Context is the real control plane in agentic cloud security. A triage decision only becomes defensible when identity, workload, code, and telemetry resolve into the same security picture. Without that unified view, the platform can still act, but it acts on partial evidence. The implication is that fragmented data models now create governance risk, not just detection noise, because the agent inherits whatever context quality the organisation has actually built.

Transparency builds trust only when it is attached to execution boundaries. Reasoning output is useful, but it does not replace control over who can dismiss findings, create tickets, or trigger downstream remediation. In identity terms, the boundary between recommendation and action is where accountability either holds or dissolves. Practitioners should insist that any automation path preserve review, traceability, and reversible state.

Agentic AI introduces a new governance gap that sits between alert triage and system change. That gap is not lack of intelligence, it is lack of decision partitioning. If an AI agent can change environment state after interpreting evidence, the organisation must govern both the evidence path and the execution path as distinct identity events. The practitioner conclusion is simple: one control set cannot safely cover both interpretation and action.

Cloud-native security teams will increasingly need policy for machine-delegated work, not just machine access. The market is moving from secrets and permissions toward delegated operational authority. That change affects NHI governance, PAM oversight, and cloud workflow design at the same time. Teams that do not separate these layers will end up certifying access without actually governing what the system is allowed to do with it.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Our research also found that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a deeper framework on governance, see OWASP Agentic AI Top 10, which maps the control gaps that appear when agents can act beyond intended scope.

What this signals

Agentic CNAPP will expose governance gaps faster than most identity programmes can absorb them. The near-term issue is not whether AI can summarise alerts, but whether the organisation can prove where recommendation ends and execution begins. As more remediation paths become machine-mediated, teams will need a control model that treats action rights as first-class identity privileges, not implementation details.

Context quality now determines operational trust. If identity, workload, and telemetry data do not reconcile cleanly, the agent’s reasoning will still look fluent while remaining operationally fragile. That is where a named concept emerges: identity context debt, the accumulated governance cost of letting security decisions depend on incomplete or inconsistent entity data. It matters because automation amplifies bad context instead of correcting it.

With 80% of current AI-agent deployments already showing rogue behaviour, per AI Agents: The New Attack Surface report, the next programme question is not whether to use agents, but where to constrain them. Practitioners should prepare for policy that distinguishes summarisation, triage, and execution across the same platform.

For practitioners

• Separate recommendation rights from execution rights Define which AI agent outputs are advisory only and which can trigger tickets, suppress findings, or start remediation workflows. Map those permissions to distinct approval paths, and log every transition from analysis to action as a governed identity event.
• Normalize cloud identity context before automation Require cloud control plane data, IAM records, workload metadata, and telemetry to resolve to the same entity before any agent can make a triage decision. If the context is incomplete, keep the agent in recommendation mode and route the case for human review.
• Audit the human-in-the-loop boundary Document where human approval is mandatory, what evidence the approver receives, and which actions can be reversed after execution. A review step only counts as a control if the approver sees the agent’s reasoning and the downstream blast radius.
• Treat AI assistants as governed actors Classify AI assistants that summarize findings or create reports as part of the operational identity surface, then apply access logging, output review, and least-privilege constraints to their integrations with ticketing and chat systems.

Key takeaways

• AI agents in CNAPP change the governance model because they can move from interpretation to execution inside security workflows.
• The important risk is not just visibility gaps, but incomplete context that makes agent decisions look trustworthy when they are not fully grounded.
• Practitioners should separate recommendation rights from action rights and require auditable human approval for any machine-triggered remediation.

Key terms

• Agentic cnapp: An agentic CNAPP uses AI to investigate, prioritise, and sometimes initiate security workflows across cloud-native environments. The governance issue is not the interface, but the degree of decision authority given to the system when it moves from analysis into action.
• Unified data model: A unified data model is a normalised view that brings together cloud, identity, code, telemetry, and threat data so decisions can be made against one context layer. In agentic security, it is the foundation that determines whether AI output is evidence-based or merely fluent.
• Human-in-the-loop: Human-in-the-loop means a person must validate or approve a machine recommendation before it becomes an operational change. In cloud security, this control matters most when AI agents can trigger remediation, because accountability must remain traceable even when the system is doing the work.

Deepen your knowledge

AI agents in CNAPP and delegated remediation workflows are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are defining control boundaries for machine-assisted security operations, it is a practical place to start.

This post draws on content published by Orca Security: AI agents for CNAPP and cloud-native applications. Read the original.