AI agent governance needs a zero trust upgrade for enterprise identity

At a glance

What this is: This is 1Password’s summary of a Black Hat panel on AI agent governance, with the key finding that enterprise identity controls must be extended beyond human users to unmanaged AI agents and shadow AI.

Why it matters: It matters because IAM, PAM, IGA, and NHI programmes now have to govern decision-making software whose access patterns can change faster than traditional review and approval cycles.

By the numbers:

• 56%, e than half of security leaders, 56%, estimate that between 26% and 50% of their AI tools and agents are unmanaged.
• 54% of security leaders admit their governance enforcement is weak.
• While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope.

👉 Read 1Password’s Black Hat panel summary on AI agent governance and shadow AI

Context

AI agent governance is the question of how security teams control software that can select actions, use tools, and act at runtime inside enterprise environments. The problem is that many identity controls still assume the subject is human, so the policy, review, and revocation model breaks down when the actor is an AI agent or shadow AI.

1Password’s panel discussion frames this as a governance gap, not a tooling gap. The article argues that organisations need zero trust principles, least privilege, just-in-time access, and revocability applied to AI agents in the same way they would to other non-human identities, but with tighter visibility and faster response paths.

The article’s broader point is that AI adoption is moving faster than most security programmes can absorb. That makes inventory, enforcement, and operational decision rights the real control plane for AI identity rather than a side project attached to innovation teams.

Key questions

Q: How should security teams govern AI agents that access enterprise data and tools?

A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped entitlements, continuous monitoring, and rapid revocation paths. The goal is to bind each agent to a business task and remove the assumption that its access can be managed like a human account. If the entitlement cannot be explained, reviewed, or revoked quickly, it is too broad.

Q: Why do AI agents create more identity governance risk than traditional automation?

A: AI agents create more risk because they can choose actions at runtime and may move across tools and data sources faster than human approval cycles can keep up. Traditional automation follows a predefined script, but an agent can vary its path within the allowed environment. That makes ownership, scope, and revocation central controls, not optional extras.

Q: How can organisations tell whether AI governance is actually working?

A: Look for complete inventory, clear ownership, scoped permissions, and evidence that unauthorised AI use can be detected and revoked promptly. If teams cannot say which agents exist, who approves them, and how access is removed, governance is not working. The most reliable signal is whether security can act before the agent’s access becomes operationally sticky.

Q: What should IAM and PAM teams do differently for AI agents than for human users?

A: They should move from human-centric authentication assumptions to task-based authorisation, workload identity, and revocation-first controls. AI agents do not need a user experience, but they do need tightly bounded access, monitoring, and ownership. IAM and PAM teams should design for faster change, shorter access windows, and more frequent reassessment of what the agent can do.

Technical breakdown

Zero trust for AI agents and non-human identities

Zero trust is still the right model, but its mechanics change when the identity is a software actor rather than a person. Human-centric signals such as biometrics, device posture, and physical presence do not map cleanly to an AI agent that can trigger actions continuously and across multiple systems. For AI agents, the access decision has to bind to workload identity, scoped permissions, and revocation. That shifts control from static authentication to continuous authorisation of non-human behaviour. Practical implication: extend zero trust policies to AI agents, not just human endpoints.

Practical implication: Extend zero trust policies to AI agents, not just human endpoints.

Shadow AI and unmanaged agent inventory

Shadow AI is the discovery problem behind the governance problem. If security teams cannot see which AI tools and agents exist, they cannot assign ownership, define access boundaries, or enforce revocation when use becomes unsafe. The article’s concern is not merely unsanctioned tooling, but unmanaged identity sprawl that sits outside established IAM and governance workflows. That makes inventory a prerequisite for policy enforcement. Practical implication: build a complete inventory of AI tools and agents before attempting policy enforcement.

Practical implication: Build a complete inventory of AI tools and agents before attempting policy enforcement.

Least privilege and revocability for agent access

Least privilege means very little if access is provisioned too broadly, cannot be revoked quickly, or persists after the task changes. For AI agents, privileges must be task-scoped, time-bound, and tied to clear ownership because the system can operate faster than human review loops. The governance challenge is not simply over-permissioning, but the mismatch between agent speed and traditional approval structures. Practical implication: make every AI agent entitlement revocable and narrowly scoped to a specific business task.

Practical implication: Make every AI agent entitlement revocable and narrowly scoped to a specific business task.

NHI Mgmt Group analysis

Zero trust was designed for bounded identity subjects, and that assumption weakens when the actor is an AI agent. The panel’s core message is that validation, minimisation, and continuous verification still matter, but the old human-bound signals do not reliably represent agent behaviour. Once the subject can act at runtime across tools and services, identity governance has to treat the access pattern itself as dynamic. The implication is that human-era access models are no longer the default control template for non-human decision-makers.

Shadow AI is not only an inventory problem, it is a governance failure mode. The article shows that organisations can have policy language and still lack visibility into 26% to 50% of deployed AI tools and agents. That gap means ownership, enforcement, and escalation paths are undefined when an agent crosses scope. This is exactly where NHI governance stops being theoretical and becomes operationally consequential. Practitioners should treat unmanaged agent discovery as a control prerequisite, not an afterthought.

Ephemeral agent privilege is the emerging identity blast radius. When AI agents can act quickly, broadly, and with poorly bounded scope, the security issue is not just access volume but the speed at which a mis-scoped entitlement can compound impact. That matters for IAM, PAM, and NHI programmes because revocation latency becomes a material risk variable. The field needs to think less about isolated permissions and more about how quickly a bad agent decision can propagate across systems.

AI governance will converge with identity governance, not sit beside it. The article points toward federated identity, agent-to-agent security standards, and digital wallet concepts because identity is becoming the enforcement layer for AI operations. That does not mean human controls disappear. It means the same governance discipline has to span humans, workloads, and AI agents without assuming they behave the same way. Practitioners should plan for identity governance to become the control plane for AI adoption.

Usability now determines whether AI governance is bypassed or adopted. The panel’s warning that people will circumvent controls if they are too hard to use is not a soft observation, it is a governance reality. If the approved path is slower or more complex than the shadow path, the shadow path wins. That makes secure-by-design access workflows part of identity risk management, not just a UX concern. Security teams should expect governance to fail wherever it is operationally awkward.

From our research:

• While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For the broader control model behind this problem, see OWASP Agentic AI Top 10 for the most common agentic application risk patterns.

What this signals

AI governance is becoming an identity operations problem, not just an AI policy problem. If 80% of organisations are already seeing agents act beyond intended scope, then the question for practitioners is whether identity controls can be enforced at the same speed as agent execution. The practical test is whether your team can discover, constrain, and revoke AI access before a mis-scoped agent becomes normalised.

Shadow AI will expose the gap between stated policy and operational reality. The 56% figure for unmanaged AI tools and agents suggests that many programmes still rely on policy documents without a usable control path. Practitioners should expect the next wave of governance work to focus on discovery, ownership, and delegated approval rather than abstract principle.

The strongest near-term move is to anchor AI agent governance in the same operational discipline used for high-risk non-human identities. That means tying policy to inventory, revocation, and exception handling, then using Top 10 NHI Issues and Ultimate Guide to NHIs , Key Challenges and Risks to align programme priorities.

For practitioners

• Inventory all AI tools and agents Create a complete register of sanctioned and unsanctioned AI systems, then assign business ownership and access responsibility before allowing production use. Without a verified inventory, governance rules cannot be enforced consistently across the estate.
• Bind AI access to task-scoped entitlements Issue permissions for a specific purpose, system, and duration, then revoke them when the task ends or the agent changes context. This reduces the chance that broad standing access becomes the default operating model.
• Extend revocation paths to shadow AI Make sure security teams can disable unauthorised AI use quickly, even when the request originated from a senior executive or a business team under pressure. Cut-off authority needs to be operational, not merely policy based.
• Test governance with tabletop scenarios Run exercises that include unsanctioned AI use, delegated access, and agent misuse so teams can rehearse who detects it, who decides, and who revokes access. Use the results to close response gaps before live incidents do.

Key takeaways

• AI agents are now an identity governance problem because they can act at runtime beyond the control model built for human users.
• Visibility is still the biggest gap, with large numbers of organisations unable to see or audit the AI tools and agents already in use.
• The practical response is task-scoped access, rapid revocation, and ownership that makes shadow AI easier to detect and harder to normalise.

Key terms

• Shadow AI: Shadow AI is AI tooling or agents operating without security’s knowledge, approval, or control. In practice, it creates unmanaged identity and data exposure because access, ownership, and revocation are not tied to a governed lifecycle.
• AI Agent: An AI agent is software that can decide what action to take, select tools, and execute tasks without a human choosing each step in real time. For identity teams, that means the subject of access control is behavioural and task-driven, not a person.
• Zero Trust Architecture: Zero Trust Architecture assumes no actor is trusted by default and every access request must be verified. For AI agents, the model must extend beyond human logins to workload identity, task scope, continuous validation, and fast revocation.
• Non-Human Identity: A Non-Human Identity is any machine or software identity used to authenticate and access systems, including service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. These identities need ownership, lifecycle control, and least privilege just like human accounts, but with different operational handling.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: AI panel insights on weaponized autonomy and enterprise threat vectors. Read the original.