TL;DR: Fortinet’s FortiAI 8.0 underscores that AI security is now a board-level infrastructure issue, but the article argues perimeter visibility still stops short of runtime authorization for agents, according to EnforceAuth. The real failure is assuming authentication and traffic inspection can govern autonomous, always-on identities after the session starts.
At a glance
What this is: This is an opinion-led analysis of FortiAI 8.0 that finds perimeter visibility is not enough to govern AI agents once they are inside the environment.
Why it matters: It matters because IAM, PAM, NHI, and autonomous governance teams need to separate authentication, visibility, and enforcement if they want to control agent behaviour in production.
By the numbers:
- Machine identities outnumber human identities 45 to 1 in the average enterprise.
- 86% of CISOs say they don't enforce access policies for AI-specific identities.
👉 Read EnforceAuth's analysis of AI security beyond the perimeter
Context
AI agent security is no longer just a network boundary problem. The central governance gap is that an identity can authenticate, pass inspection, and still have no meaningful control framework for what it may do once it is inside the environment, especially when the subject is a non-human identity acting at machine speed.
That matters for NHI programmes because perimeter controls answer visibility questions, while IAM and authorization answer action questions. If teams treat those as the same layer, they end up with a logged agent and an ungoverned agent at the same time.
The article uses FortiAI 8.0 as the trigger, but the underlying issue is broader: enterprises are building more AI and agentic workflows than their runtime authorization models were designed to handle. That is a typical starting point for the market, not an edge case.
Key questions
Q: How should security teams govern AI agents after authentication?
A: They should govern AI agents with runtime authorization, not just login-time authentication. The key is to evaluate each action against current policy, resource sensitivity, and context. If an agent can authenticate once and act for hours, the control must decide whether each call is allowed, not merely whether the identity is real. Use the policy engine, not the perimeter, as the enforcement point.
Q: Why do perimeter controls fall short for AI agent security?
A: Perimeter controls fall short because they can observe traffic and still leave action-level decisions ungoverned. An agent can be visible, inspected, and logged while still having overly broad privileges inside the environment. For AI and NHI programmes, the missing layer is continuous authorization that can approve or deny each operation as context changes.
Q: What do teams get wrong about AI safety and AI security?
A: They often treat safety controls like content filters and guardrails as if they were security controls. Safety reduces harmful output, but it does not determine who can access which data, APIs, or systems. A polite agent can still be an unauthorized one, so governance must separate behaviour filtering from runtime access enforcement.
Q: How do organisations know if their AI authorization model is working?
A: They know it is working when every sensitive agent action is logged, policy-checked, and reversible through a clear audit trail. If teams can only reconstruct what happened after the fact, the model is too weak. The signal to watch is whether the system can deny a specific action in the moment, not just report on it later.
Technical breakdown
Authorization gap: why visibility is not enforcement
The authorization gap is the space between knowing an identity exists and controlling what it can do. Visibility tools can identify shadow AI, agent-to-agent traffic, and suspicious data movement, but they do not decide whether a specific action is allowed at that moment. In NHI terms, the difference is between observing a credential in use and enforcing policy on every call that credential makes. Once AI agents are running continuously, action-level authorization becomes the control that determines blast radius, not perimeter inspection.
Practical implication: separate detection from enforcement in your control design, and treat runtime authorization as a distinct layer for AI identities.
Policy-as-code for AI workloads and NHI control
Policy-as-code turns authorization into versioned logic instead of manual administration. That matters because AI workloads change quickly, often with new tools, datasets, and delegated permissions introduced outside normal review cycles. For NHIs, this is the difference between a spreadsheet of agent permissions and a testable control surface that can evaluate context, resource type, and current policy before each action. The article’s framing aligns with the operational reality that static RBAC snapshots age out quickly in agentic environments.
Practical implication: move AI and NHI authorization rules into code so changes can be reviewed, tested, and deployed with the workload.
Continuous identity verification for autonomous and always-on agents
Continuous identity verification is not the same as login-time authentication. A human session and an agent session behave differently because a person pauses, leaves, and re-authenticates, while an agent can chain thousands of actions under one credential. That changes the control objective from proving who entered to proving what each action may do over time. This is why the article rejects perimeter-only thinking: once the identity is already inside, the real issue is session-long governance, not entry-point control.
Practical implication: design controls that re-evaluate agent actions during execution, not just at session start.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Perimeter intelligence does not solve authorization for AI agents. The article validates a pattern we see repeatedly across NHI programmes: teams can observe an identity, classify its traffic, and still have no control over whether each action should be allowed. That is not a visibility failure. It is an assumption failure in which monitoring is mistaken for governance. Practitioners should treat AI agent security as an enforcement problem, not a telemetry problem.
Authorization that exists only at login was designed for human-paced sessions. That assumption fails when the actor is autonomous or agentic because it can continue making decisions after the initial grant, with no stable pause point for review. The implication is not just that policies need to be tighter. The underlying model of reviewable, durable access no longer matches the behaviour of the actor.
Authorization Gap: the control plane between authentication and action is now the primary NHI failure mode. The article names the right problem even if the market often describes it too loosely. This gap appears when organisations have authentication, perimeter inspection, and content guardrails but no runtime decision layer for what a non-human identity may do next. Practitioners should recognise this as a governance boundary, not a product category.
AI workload governance is converging with NHI governance, not replacing it. The same structural issue shows up across applications, data, infrastructure, and AI workloads: a credential or identity can be valid without being properly scoped for its current context. That is why the market is moving toward policy enforcement that spans multiple layers. Teams should expect their NHI and AI governance work to converge on the same operational controls.
Static access models are losing relevance faster than teams can recertify them. The pace of agentic execution makes periodic reviews a weak control when privileges can shift mid-session. That does not mean recertification disappears, but it does mean the control must be complemented by runtime enforcement if the programme is to remain credible. Practitioners should assume the old review cadence is no longer sufficient for always-on identities.
From our research:
- Machine identities outnumber human identities 45 to 1 in the average enterprise, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- That confidence gap is a useful forward indicator for teams planning runtime authorization and lifecycle governance across agentic and non-agentic identities.
What this signals
Authorization Gap: the industry is moving from identity visibility toward decision enforcement, and programmes that stop at detection will be outpaced by agentic workflows. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the control problem is already broader than most IAM roadmaps assume.
The next programme risk is governance drift between human IAM, NHI, and autonomous systems. Security teams that centralize policy, logging, and review across these actor types will be better positioned to prove whether an action was allowed, not just whether an identity existed. For a deeper baseline on the identity side of that problem, see Ultimate Guide to NHIs , Key Challenges and Risks.
For practitioners
- Separate visibility from enforcement Map which controls only detect AI or NHI behaviour and which controls can actually deny a specific action in real time. Do not count shadow AI discovery, traffic inspection, or DLP as authorization coverage unless the policy engine can block the action itself.
- Define action-level policy for AI identities Move beyond coarse entitlements and write policies for specific resources, tools, and data classes. The policy should evaluate current context, not only identity, so an agent authorized earlier is not automatically authorized later in the same session.
- Build runtime checks into AI and NHI workflows Require every high-risk agent action to pass a runtime decision point that can be logged and audited. Use this to close the gap between authentication at entry and governance at execution.
- Review shared permission stores for agent sprawl Inventory where agent permissions are kept in spreadsheets, tickets, or ad hoc configuration files, then consolidate those rules into versioned policy. This reduces drift and makes revocation and change control testable.
Key takeaways
- AI agent governance fails when teams mistake visibility for enforcement, because seeing an identity is not the same as controlling its actions.
- The scale of the NHI problem is already structural, with machine identities far outnumbering human identities and confidence in NHI security remaining low.
- The practical response is runtime authorization, policy-as-code, and continuous decisioning across AI workloads, infrastructure, applications, and data.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime authorization and credential scope are central to the article's gap analysis. |
| NIST CSF 2.0 | PR.AC-4 | The article focuses on access enforcement, not just authentication or visibility. |
| NIST Zero Trust (SP 800-207) | PR.AC | The piece argues for continuous verification after initial login and traffic inspection. |
Treat AI agent and service-account access as time-bound, action-scoped entitlements and review them continuously.
Key terms
- Authorization Gap: The Authorization Gap is the space between confirming an identity and controlling what that identity may do. In AI and NHI programmes, it appears when authentication, traffic inspection, and content guardrails exist but no runtime policy decides whether each action is allowed.
- Runtime Authorization: Runtime authorization is the practice of evaluating each action against current policy at the moment it occurs. For non-human and autonomous identities, it is the control that limits blast radius when access changes faster than periodic reviews can keep up.
- Policy-as-Code: Policy-as-code means writing access rules in a versioned, testable format and deploying them like software. In NHI governance, it reduces drift by making permissions auditable, reviewable, and consistent across applications, infrastructure, and data workflows.
- Shadow AI: Shadow AI is the use of AI agents or systems that security teams have not discovered, approved, or governed. It creates blind spots because the identity exists operationally, but the organisation lacks complete visibility into its permissions, data access, and decision paths.
Deepen your knowledge
AI agent authorization and runtime enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for always-on identities and agentic workflows, it is worth exploring.
This post draws on content published by EnforceAuth: AI security beyond the perimeter and the Authorization Gap. Read the original.
Published by the NHIMG editorial team on 2026-03-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
