AI agents and secret leakage are sharpening CISO concerns

At a glance

What this is: A conference reflection on why CISOs are more worried about AI agents, sensitive data leakage, and resilience gaps.

Why it matters: It matters because identity teams now have to govern human, NHI, and emerging agentic access patterns at the same time, while leadership appetite for actual enforcement remains uneven.

👉 Read 1Password's perspective on AI agents, resilience, and CISO concerns

Context

The core governance problem is not that AI is new. It is that organisations are still trying to apply policy language to data and access behaviours that move faster than review cycles, especially when users reach for private apps and tightly scoped agents outside standard controls.

In identity programmes, that means the practical question is no longer whether teams can write rules. It is whether they can enforce boundaries around human access, NHI exposure, and agentic workflows before sensitive information leaves governed systems.

Key questions

Q: How should security teams govern AI agents that touch sensitive business data?

A: Treat them as delegated access paths, not as harmless productivity features. Restrict tool reach, require clear approval for sensitive actions, log every privileged step, and make revocation possible without waiting for a human to notice misuse. If the agent can reach confidential data, it belongs under identity governance, not only AI policy.

Q: Why do private apps and shadow AI create an identity risk?

A: Because they bypass the approved control plane. Once users move data into tools the organisation cannot inventory, authenticate, or revoke, IAM and IGA lose visibility into who accessed what and whether that access can still be removed. The risk is not just leakage, but the loss of enforceable identity context.

Q: When do agentic workflows become a governance problem instead of a convenience?

A: They become a governance problem when the workflow can reach sensitive systems or data without a human review gate and without a clear revocation path. At that point, the organisation has delegated access without full accountability, which means the access model is operating faster than its review process.

Q: Who is accountable when an AI-assisted workflow leaks sensitive data?

A: Accountability sits with the organisation that allowed the workflow to operate outside governed controls. Security, IAM, and business owners all share responsibility for ensuring approval, logging, and lifecycle management exist before data moves through the path. If no one can block or revoke it, no one is governing it.

Technical breakdown

Why private app use creates an identity governance blind spot

Shadow adoption of private tools becomes an identity problem when users move sensitive data into systems that are outside approved authentication, logging, and lifecycle controls. The issue is not just application sprawl. It is that the organisation loses visibility into who accessed what, under which identity, and whether that access can be reviewed or revoked later. Once data enters an unmanaged channel, IAM and IGA controls no longer have a reliable enforcement point. For security teams, the architectural concern is loss of control plane visibility, not only data loss.

Practical implication: Map private app exposure to unmanaged identity paths and treat it as a governance gap, not only a data handling issue.

Why agentic use cases need tighter runtime boundaries

An AI agent is not automatically autonomous, but even tightly scoped agents can widen the attack surface if they can reach sensitive data or tools without clear runtime guardrails. In practice, the risk is permission creep through delegated workflows, where a task-scoped action becomes an indirect route to broader systems. That makes the surrounding identity model more important than the model itself: authentication, scoped authorisation, and revocation have to remain explicit across the chain. Without that, the enterprise is relying on user discipline instead of enforceable controls.

Practical implication: Constrain agent permissions to narrow, reviewable workflows and keep human approval gates for any access to sensitive systems.

Policies do not reduce blast radius without enforcement

The article’s central warning is that policy statements do not stop leakage if leaders will not back them with controls. That is true across human identity, NHI credentials, and AI-mediated access. The organisation may know the rules, but if the controls are optional, the blast radius keeps expanding. In mature identity programmes, the control plane has to decide, log, and block in real time, not simply document the intended behaviour after the fact.

Practical implication: Prioritise enforceable controls, logging, and revocation paths over awareness campaigns and policy-only governance.

NHI Mgmt Group analysis

AI agent governance is now being shaped by the same control gap that has long defined NHI sprawl. The article shows CISOs worrying about private app use, sensitive data leakage, and tightly scoped agents at the same time. That combination matters because the identity boundary is no longer a single login or token. Practitioners need to treat delegated AI access as part of the broader identity attack surface, not a separate novelty category.

Policies are cheap; enforceable identity controls are the real decision point. The source makes the enforcement gap explicit: leaders may tolerate use of unapproved tools even when they know sensitive data is flowing into them. That is an identity governance failure because the programme can describe acceptable behaviour without being able to compel it. The implication is that governance maturity should be measured by control execution, not policy volume.

Shadow AI and unmanaged private tooling create a monitoring problem that IAM alone cannot solve. Once sensitive data leaves approved systems, access certification and retention controls lose context. That is why the discipline has to connect IAM, DLP, and lifecycle governance rather than treating them as separate workstreams. Practitioners should assume that unmanaged AI use is already part of their identity perimeter.

Agentic use cases raise the same question as NHI sprawl: who can act, when, and with what revocation path? Even when agents are highly constrained, they still introduce delegated access paths that must be inventoried, governed, and retired. This is where identity programmes either extend lifecycle discipline across new actor types or fall behind the behaviour they are supposed to control. Teams should re-evaluate whether their access model can actually follow the delegation chain.

Anti-fragility in security only works if identity governance can absorb disruption without losing control. The summit theme reflects a broader shift in the field toward resilience, but resilience without boundary enforcement is just tolerance for drift. Identity teams should read this as a signal to harden approval, logging, and revocation paths before more AI-assisted workflows become normalised.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, showing that control failure often begins before a secret reaches production.
• For the lifecycle angle behind this problem, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that make leakage harder to contain.

What this signals

Shadow AI is becoming an identity governance issue before it becomes a tooling decision. Once business users can move sensitive data into private apps without visibility, the programme loses the ability to recertify, revoke, or even inventory the resulting access. Teams should expect this to pressure both IAM and data governance functions at the same time.

Policies without enforcement will increasingly be treated as control debt. The operating model now has to prove that it can block, log, and retire risky access paths, not merely describe them. That shift favours identity programmes that connect approval, telemetry, and lifecycle management into one control chain.

As AI-assisted work becomes more normal, the most useful question is not whether people are using it. The question is whether the organisation can still see, govern, and terminate the access paths those tools create before they become permanent exceptions.

For practitioners

• Inventory private app and agent use cases Identify where employees are moving sensitive data into private tools or AI-assisted workflows outside approved identity controls. Classify each path by who can authenticate, what data is exposed, and whether revocation is possible after the fact.
• Enforce runtime boundaries for agent access Keep agent permissions narrow, task-scoped, and reviewable. Require human approval for sensitive actions, and make sure every delegated path has a clear logging and revocation mechanism.
• Separate policy intent from control reality Test whether the organisation can actually block, log, or revoke the behaviours it says are prohibited. If controls are advisory only, treat that as a governance deficiency and prioritise enforcement before broader rollout.
• Extend lifecycle governance to new access paths Fold AI-assisted workflows and unmanaged tooling into recertification, offboarding, and exception management so access does not outlive the use case that created it.

Key takeaways

• The article shows that CISO concern is shifting from isolated AI curiosity to a broader identity governance problem involving private apps, leakage, and agentic access.
• Enforcement matters more than policy language when users can route sensitive data through tools the organisation does not control.
• Identity teams should measure whether they can inventory, block, and revoke these access paths before they become unmanaged shadow infrastructure.

Key terms

• Shadow AI: Shadow AI is the use of AI tools, models, or agents that the organisation has not formally discovered, approved, or governed. The risk is not only data leakage, but the loss of visibility into identity, access, and lifecycle controls for the systems handling that data.
• Delegated access: Delegated access is permission granted to one identity to act on behalf of another identity or workflow. In practice, it creates a control chain that must be inventoried, scoped, reviewed, and revoked, because the original authorisation can outlive the use case that justified it.
• Identity governance: Identity governance is the set of policies, controls, and review processes used to manage who or what can access systems and data over time. It only works when the organisation can enforce decisions, not merely document them, across human, machine, and agentic identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: AI agents and secret leakage are sharpening CISO concerns. Read the original.