AI agent governance needs a new control plane for runtime risk

At a glance

What this is: This is a vendor announcement about Gartner recognition that highlights the governance gap between legacy IAM controls and runtime AI agent behaviour.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern agents that act in motion, not just identities that authenticate and wait for approval.

By the numbers:

• 17% of organizations have deployed AI agents so far, but 42% expect to do so in the next 12 months.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Zenity's analysis of Gartner recognition for AI agent governance

Context

AI agent governance is no longer a theoretical problem. The primary issue is that agentic systems can make decisions and invoke tools inside enterprise workflows faster than traditional identity controls can observe, certify, or revoke them, which creates a runtime governance gap for IAM, PAM, and NHI teams.

Zenity's announcement matters because it points to a broader shift in identity security. Once agents are operating across SaaS, cloud, and endpoint environments, static entitlement models and human-paced review cycles stop matching how access is actually used.

The practical question for security leaders is whether their current control model can see decision chains, enforce policy in motion, and preserve auditability when the subject is not a person and not a simple workload account.

Key questions

Q: How should security teams govern AI agents that can take action across multiple systems?

A: Security teams should govern AI agents with continuous discovery, runtime policy enforcement, and audit trails that capture tool use and data access. The key is to control behaviour while the agent is acting, not only to review entitlements after they are granted. Without that runtime layer, agents can accumulate risk faster than human-paced governance can respond.

Q: Why do AI agents create a governance gap for IAM and PAM programmes?

A: AI agents create a governance gap because they do not behave like static accounts or human users. They can chain decisions, change actions mid-session, and invoke tools across environments, which means traditional IAM and PAM controls may see the permission but miss the actual behaviour. Governance must therefore shift from access approval to execution oversight.

Q: What do security teams get wrong about AI agent access reviews?

A: Security teams often assume an access review can fully explain agent risk, but that only captures the starting entitlement. For AI agents, the important question is how privileges are used in motion, whether they exceed the approved purpose, and whether the agent's actions remain bounded by policy. Reviews without behavioural evidence can miss the real exposure.

Q: Who should be accountable when an AI agent exceeds its intended scope?

A: Accountability should sit with the business or technical owner who approved the agent's purpose, controls, and operating boundaries. Security, IAM, and platform teams all have roles, but the owner must be traceable when the agent's actions create risk. That accountability model is essential for audit, investigation, and corrective action.

Technical breakdown

Why legacy IAM controls fail for AI agent decision chains

Legacy IAM assumes an identity authenticates, requests access, and then operates within a predictable path. AI agents break that model when they can choose tools, branch into new actions, and continue executing without a human approval gate between each step. The result is not just more activity, but a different control problem: decision chains, not single sessions, become the unit of risk. Traditional entitlements, access reviews, and static policy checks see the grant, but not the changing intent or sequence of actions that follows.

Practical implication: security teams need controls that inspect agent behaviour during execution, not only at grant time.

Runtime enforcement for agentic AI security

Runtime enforcement means policy is evaluated while the agent is acting, not after the event. In agentic environments, that includes monitoring which tools are invoked, what data is touched, whether an action exceeds the original purpose, and whether the agent is chaining decisions into a wider workflow. This is materially different from post-hoc logging because the security question is whether the action should be allowed to continue in the moment. That is why visibility, guardrails, and prevention have to sit on the execution path.

Practical implication: teams should place policy checks where the agent executes, especially across SaaS, cloud, and endpoint surfaces.

Continuous discovery and auditability for autonomous agents

Continuous discovery is the control that answers where agents exist, which environments they touch, and what privileges they actually use. Auditability then connects those behaviours back to an accountable governance model. Without both, organisations cannot prove whether a policy violation was isolated or part of a wider pattern of overprivilege and uncontrolled delegation. For agentic AI, the identity problem is not just authentication. It is the combination of lifecycle visibility, behavioural monitoring, and traceable decision-making across the full session.

Practical implication: inventory AI agents continuously and retain evidence of access, actions, and policy decisions in one audit trail.

NHI Mgmt Group analysis

AI agent governance has crossed from access management into runtime control. The important shift is that agents are no longer just identities with credentials, they are decision-makers with execution paths. That changes the problem from provisioning and review to continuous behavioural control across tools, data, and environments. Practitioners should treat this as a new control plane requirement, not an extension of legacy IAM.

Static entitlement models do not describe what agents actually do. Human-driven workflows assume access is requested, approved, and used in a visible sequence. Agentic systems can chain decisions, reuse context, and move across tools without that pacing, which makes old governance assumptions incomplete. The implication is that security architecture must measure intent, action sequence, and policy drift together.

Decision-chain visibility is now a governance baseline for autonomous systems. Zenity's emphasis on monitoring agent behaviour across SaaS, cloud, and endpoint environments reflects a broader category shift: the control surface is no longer the account alone. What matters is whether organisations can trace how an agent reached a decision and which resources it touched. Practitioners should reframe auditability around execution traces, not just access logs.

Agentic AI security will converge with NHI governance, not replace it. AI agents still inherit the core NHI problem of non-human access sprawl, but they add runtime decision-making on top. That makes the governance stack more complex, not less: identity lifecycle, least privilege, and monitoring remain necessary, but they are no longer sufficient on their own. Security teams should expect NHI, IAM, and AI governance to merge into one operating model.

Continuous control is the named concept this market now requires. Continuous control means identity governance that follows the agent through discovery, decision, execution, and audit, instead of stopping at authentication or provisioning. That concept captures the operational reality that agents can create and consume risk in motion. Practitioners should design for behavioural governance, not policy snapshots.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control model, see OWASP Agentic Applications Top 10 for the most common agentic risk patterns.

What this signals

Continuous control will become the default expectation for agentic programmes. Once AI agents can act across SaaS, cloud, and endpoint environments, governance teams will need execution-time checks, not annual or quarterly reviews. The operational pressure is toward always-on evidence of what the agent touched, which tools it invoked, and whether its behaviour stayed inside policy.

The programmes that will struggle most are the ones still treating AI agents like enhanced service accounts. That framing misses the behavioural difference and leaves ownership, monitoring, and containment too loosely defined for real-world agent sprawl.

With 17% of organisations already deployed and 42% planning deployment in the next 12 months, the control gap is widening faster than most IAM roadmaps can absorb, according to AI Agents: The New Attack Surface report.

For practitioners

• Map every AI agent to an accountable owner Require a named business or technical owner for each agent, including approved tools, data sources, and escalation paths. Ownership should be visible in your IAM or IGA records so governance does not end at the model or platform layer.
• Add runtime policy checks at execution points Place controls where agents act across SaaS, cloud, and endpoint environments so policy can block or constrain unsafe actions in motion. This is the practical difference between logging behaviour and governing it.
• Treat decision chains as audit evidence Retain the sequence of prompts, tool calls, data access events, and policy outcomes so investigators can reconstruct what the agent did and why. That evidence is what closes the gap between access granted and action taken.
• Review overprivilege across connected environments Look for agents that can move from one platform to another with broader access than their use case requires. Use continuous discovery to identify where privilege accumulates across connectors and shared credentials.

Key takeaways

• AI agents turn identity governance into a runtime control problem because their risk emerges from decisions, tool use, and action sequencing, not just from authentication.
• The evidence base shows a mismatch between ambition and control, with adoption rising while policy and audit coverage still lag behind.
• Security teams should move toward continuous discovery, execution-time policy checks, and traceable decision chains if they want agent governance to be defensible.

Key terms

• Agentic AI security: The discipline of governing AI systems that can choose actions, call tools, and continue execution without a person approving each step. It extends identity security into runtime behaviour, because the main risk is not only who the agent is, but what it can decide to do in motion.
• Decision chain: The sequence of choices, tool calls, and follow-on actions an AI agent makes during a session. Unlike a simple request and response, a decision chain can branch, reuse context, and expand impact across systems, so security teams need to monitor the chain as the unit of governance.
• Runtime enforcement: A control approach that evaluates policy while an identity is acting, not only when access is granted. For AI agents, runtime enforcement is essential because behaviour can change mid-session, making post-hoc review too late to prevent misuse or policy drift.
• Continuous discovery: The ongoing process of finding identities, agents, and connections as they appear across environments. In agentic programmes, continuous discovery is what prevents blind spots, because unmanaged agents can emerge quickly across SaaS, cloud, and endpoint surfaces.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Zenity: Zenity named in two categories in the 2026 Gartner Hype Cycle for Agentic AI. Read the original.