AI model and agent inventory is now the first governance test

At a glance

What this is: This is a governance guide on building a live AI model and agent inventory, with the key finding that inventory is the prerequisite for oversight, auditability and trust.

Why it matters: It matters because IAM, IGA and security teams cannot govern AI systems, assign accountability or scope access controls across NHI and autonomous programmes without a current system of record.

👉 Read Collibra's guidance on AI model and agent inventory design

Context

An AI model and agent inventory is the governance control that records every AI system an organisation runs, including models, use cases and autonomous agents, with ownership, risk tier and data reach. Without that baseline, teams are forced to infer what is in production rather than govern it directly.

The identity problem is broader than cataloguing software. As AI systems gain tool access and act on data, the inventory becomes the bridge between AI governance, NHI oversight and access control, especially when shadow deployments and orphaned agents appear faster than manual reviews can keep up.

Key questions

Q: How should security teams build a current inventory for AI models and agents?

A: Start by registering AI assets at the point of deployment, not in a quarterly spreadsheet review. Capture owner, risk tier, data access, lifecycle stage and framework dependencies from the same code and release artefacts that create the system. Then reconcile the inventory against live discovery so shadow AI and orphaned agents surface as exceptions, not assumptions.

Q: Why do AI agents need separate governance from AI models?

A: Because agents do more than generate predictions. They can query data, call tools and trigger workflows, which expands the governance surface beyond model metadata. A separate agent record lets teams manage ownership, data reach and lifecycle state with the same rigor they apply to other high-risk non-human identities.

Q: What breaks when an AI inventory is only updated manually?

A: Manual inventories drift almost immediately in fast-moving AI estates. They miss duplicate agents, orphaned models and systems that were promoted after the last review cycle. The result is a record that looks authoritative during audits but no longer reflects production reality, which undermines accountability and access scoping.

Q: How do IAM and AI governance teams know if their inventory is working?

A: Look for low mismatch between approved state and live state, clear named ownership for every asset and a fast path from discovery to registration. If shadow systems routinely appear without a record, the inventory is functioning as documentation rather than governance, and the team still lacks control over the estate.

Technical breakdown

Why AI inventories fail when they are spreadsheet-based

A spreadsheet inventory is a snapshot, not a control plane. It can show what was approved, but not what is currently running, who owns it or what data it can reach. In fast-moving AI estates, that creates a governance lag where duplicate agents, orphan models and shadow deployments accumulate between review cycles. A live inventory has to be populated from the deployment path, not from manual updates after the fact. That is the difference between recordkeeping and control.

Practical implication: move AI registration into deployment workflows so the inventory is created at the point of release, not after the fact.

What makes agent inventory different from model inventory

A model produces output, but an agent can take action. It may query data, call tools, trigger workflows and initiate downstream tasks, which means the governance surface includes behaviour as well as metadata. That is why an inventory that only tracks models documents the safer half of the estate. The agent record needs ownership, lifecycle stage, framework dependencies and data access scope so risk teams can trace both the system and its runtime behaviour.

Practical implication: classify agents separately from models and capture their tool and data reach as part of the inventory schema.

How capture-at-source turns inventory into governance

Capture-at-source means registration happens from code and deployment pipelines, so the asset record is generated when the system is created or promoted. That approach reduces drift because the inventory pulls from the same artefacts that ship the workload: framework, datasets, owner, assessment status and trust signal. It also makes shadow discovery easier, because anything running without a corresponding registration record becomes visible as an exception. The result is a living inventory that supports audit, triage and accountability.

Practical implication: connect AI inventory to CI/CD and discovery tooling so unregistered assets stand out immediately.

NHI Mgmt Group analysis

AI inventory is the control point where AI governance becomes operational. A current inventory is not an administrative extra, it is the evidence layer that makes ownership, risk classification and access scope enforceable. Without it, AI oversight collapses into periodic guesswork and post-incident reconstruction. Practitioners should treat inventory quality as a prerequisite for every downstream governance decision.

Runtime AI visibility gap: many programmes still understand approval states better than live states. That gap matters because AI estates drift after deployment, especially when agents can spawn other agents or connect to new data sources. The governance failure is not only missing records, but the assumption that the approved architecture still matches production reality. Practitioners should measure how quickly approval state diverges from runtime state.

Agents need a different inventory posture than models because they can change the operational boundary. A model stays within prediction semantics, but an agent can cross into execution by querying systems, invoking tools and triggering workflows. That means model-centric inventories systematically understate the blast radius of AI. Practitioners should separate predictive assets from action-taking assets in both schema and review cadence.

Inventory is where NHI governance and AI governance converge. Once an agent can reach data and tools, it behaves like a governed non-human identity even if the organisation labels it as an AI feature. That makes access scope, lifecycle state and ownership the common control language across NHI and autonomous programmes. Practitioners should stop treating AI inventory as a side catalogue and start treating it as identity governance infrastructure.

Live trust signals are more useful than static readiness scores when AI estates scale quickly. A single current score can be easier to operationalise than dozens of disconnected assessments, but only if it updates from source systems. The article's core lesson is that governance follows freshness, not volume. Practitioners should use the inventory to prioritise review based on current exposure, not historical approval.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For the broader governance pattern, see OWASP Agentic AI Top 10 for runtime risk controls that inventory alone cannot solve.

What this signals

With 70% of organisations already granting AI systems more access than they would give a human employee performing the same job, the governance gap is no longer about visibility alone. The operational problem is that many inventories still describe approval states rather than live access realities, which means risk teams are measuring the wrong thing.

Runtime visibility gap: inventories must now be treated as living identity infrastructure, not reporting artefacts. That shift matters for NHI programmes too, because the same failure mode appears when service accounts, tokens or agent identities are tracked in spreadsheets that age faster than the systems they describe.

Teams that are already aligning AI governance with NIST AI Risk Management Framework and NIST Cybersecurity Framework 2.0 should use inventory freshness as a measurable control signal. If new assets are not discovered, classified and owned quickly, policy is not translating into operational restraint.

For practitioners

• Register AI assets at deployment time Tie model, use case and agent registration to the deployment pipeline so every promoted asset creates an inventory record before production access is granted.
• Separate agents from models in the schema Track autonomous agents with their own fields for owner, lifecycle stage, framework dependencies, data access and tool reach instead of folding them into generic model records.
• Use discovery to expose shadow AI Compare the live estate against the inventory and flag any running AI system that lacks a corresponding record, especially where agents may have spawned other agents.
• Attach access and assessment status to every record Link each asset to its current data access scope, relevant assessments and named owner so audit teams can trace accountability without rebuilding context from multiple systems.

Key takeaways

• A current AI inventory is the control that turns AI governance from theory into something auditors, engineers and risk teams can actually use.
• Agents need separate treatment from models because they can query data, call tools and trigger workflows, which expands identity and access risk beyond prediction.
• If the inventory is not created from deployment and reconciled against live discovery, it will drift fast enough to miss shadow AI and orphaned systems.

Key terms

• AI Model Inventory: A current record of every AI system an organisation runs, with enough metadata to show what it is, who owns it, what data it can reach and how risky it is. In practice, it is the control point that connects AI governance to accountable operations.
• Shadow AI: AI systems that are present in the environment but not visible to governance, security or risk teams. They create unmanaged access and accountability gaps because the organisation cannot review, classify or constrain what it does not know exists.
• Capture-at-Source: A registration approach where asset metadata is created from code, deployment or orchestration events rather than manual entry. It reduces drift by making the inventory reflect the same system that actually ships and runs in production.
• Runtime Visibility Gap: The difference between what a governance record says is approved and what is actually running right now. In AI programmes, that gap widens quickly when systems are updated often, which makes stale records a control weakness rather than a documentation issue.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: AI Model and Agent Inventory: How to Catalog Every AI System in Your Enterprise. Read the original.