Authority governance is replacing identity governance for NHIs

At a glance

What this is: This is an audit-focused argument that enterprise control models must shift from reviewing identities to governing authority across human, machine, and AI entities.

Why it matters: It matters because IAM and audit teams cannot prove effective control over NHIs and AI agents if they only measure registered accounts and periodic certification completion.

👉 Read the source article on authority governance for NHIs and AI agents

Context

Identity governance was designed around people and named accounts, not service accounts, API keys, tokens, certificates, and autonomous agents that can act without a human sitting behind each action. In NHI governance terms, the problem is not simply who is listed in the directory, but which authority-bearing entities exist, how they are created, and whether their access can be continuously proven.

The article’s central claim is that auditors need to move from static access review to continuous authority governance. That is a broader control question than classical IGA, because it includes shadow NHIs, effective privilege, audit evidence, and machine-to-machine activity that can sit outside standard enrollment workflows. For a practical framework view, see the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide.

Key questions

Q: How should organisations govern NHIs beyond quarterly access reviews?

A: Organisations should govern NHIs with continuous authority controls, not periodic certification alone. That means inventorying service accounts, keys, tokens, certificates, and agents; validating effective privilege at runtime; and proving issuance, use, and revocation with time-stamped evidence. The goal is to measure actual authority, not just directory membership.

Q: Why do AI agents create a governance problem for IAM teams?

A: AI agents create a governance problem because they authenticate and act as autonomous software entities with tool access. If their actions are logged only as application activity, teams lose accountability, context, and revocation clarity. IAM must therefore extend to agent identity, delegated authority, and control-plane audit trails.

Q: What is the difference between identity governance and authority governance?

A: Identity governance asks whether a person or account was reviewed and approved. Authority governance asks whether the entity’s real ability to create, use, escalate, and retain access is continuously controlled and provable. In NHI environments, authority governance is the stronger test because runtime access often exceeds the visible record.

Q: When does continuous monitoring matter more than access certification?

A: Continuous monitoring matters more whenever access can change faster than the review cycle, especially with ephemeral credentials, APIs, and autonomous agents. In those settings, a quarterly or monthly certification can miss the period when the real risk occurs. Teams need monitoring that follows the authority lifecycle in near real time.

Technical breakdown

Why identity governance misses effective privilege

Identity governance systems are optimized for registered identities, periodic certifications, and assigned entitlements. Effective privilege is different: it reflects what an account can actually do at runtime after inherited roles, token scope, API permissions, and external integrations are applied. That gap matters because a service account may look compliant in IGA while still holding broader access through a separate key, token, or delegated trust path. In NHI environments, the object to govern is not the record in the directory but the authority path that can be exercised across systems.

Practical implication: auditors should test runtime privilege and entitlement inheritance, not just review campaign completion.

Why ephemeral credentials change the evidence model

Ephemeral credentials reduce exposure time, but they also make evidence collection more dependent on timely logging and correlation. When credentials exist for minutes rather than months, a point-in-time review can miss both creation and use unless control-plane logs, issuance records, and downstream activity are tied together. The challenge is not only shortening credential lifetime, but proving who or what obtained authority, when it was used, and whether revocation actually occurred across the full chain.

Practical implication: require time-stamped issuance, use, and revocation evidence for every short-lived credential path.

How AI agents complicate auditability and accountability

AI agents operate as autonomous software entities with execution authority and tool access. That means their actions may be attributed to an application, an OAuth client, or a service account rather than a distinct agent identity unless the control plane preserves that linkage. Without agent-level audit trails, teams lose the ability to answer basic governance questions about delegated actions, data access, and escalation paths. This is why agent governance belongs in identity and access control, not only in application monitoring.

Practical implication: bind each agent to a traceable authority chain and log it at the control plane.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authority governance is the right control model for the machine era. Identity governance remains necessary, but it is no longer sufficient when authority can be created by code, inherited through integrations, and exercised by software agents. The discipline now needs to track creation, use, escalation, and revocation across every authority-bearing entity. Auditors and security leaders should treat authority as the audited object, not just the named identity.

Completion is not coverage, and coverage is not assurance. A certification campaign can finish on time while leaving shadow NHIs, orphaned keys, and unregistered agents untouched. That creates a false sense of control because the visible population is often only a subset of the actual authority surface. Practitioners should assume their most important exposures may live outside the systems that produce traditional audit evidence.

Continuous evidence will matter more than periodic attestation. Regulatory and board expectations are moving toward proof that controls were effective throughout the period, not only at review points. For NHIs, that means evidence of provisioning, rotation, logging, and revocation must be time-bound and traceable. The programme implication is clear: build control evidence into the lifecycle, or the lifecycle will outrun the audit.

Continuous authority governance: A control model that evaluates whether access is created, used, escalated, and logged across human and non-human actors in real time. It matters because machine identity environments fail most often at the handoff between lifecycle events and runtime authority. Teams should adopt this lens when designing audit evidence and access controls.

Shadow NHIs are the hidden audit population. These are non-human identities that exist and operate outside formal enrollment or review workflows, including API keys, tokens, certificates, and agents. They are hard to see, easy to inherit, and often absent from certification campaigns. Security teams should assume they exist until discovery proves otherwise.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface.
• Only 44% have implemented any policies to govern AI agents, even though 92% say governing them is critical to enterprise security.
• For a lifecycle view of the problem, see the NHI Lifecycle Management Guide, which ties governance to provisioning, rotation, and offboarding rather than periodic review alone.

What this signals

Continuous authority governance: Audit teams should assume that the control gap will widen as AI agents and machine identities proliferate faster than governance processes can adapt. The issue is not whether access reviews remain useful, but whether they can still function as the primary assurance mechanism when authority is created and consumed outside human workflows. Teams building their programme now should anchor it to the NHI Lifecycle Management Guide and the NIST AI Risk Management Framework.

With 80% of organisations already reporting AI agents acting beyond intended scope, the operational signal is clear: agent governance cannot be treated as a future-state project. Security leaders should prepare for more discovery work, tighter control-plane logging, and stronger accountability mapping between agent actions and business owners.

The next programme decision is where to place ownership. If IAM, SOC, and application teams all assume someone else is managing authority drift, shadow NHIs will keep accumulating outside review processes. The reader should expect internal audits to ask for evidence of continuous discovery, not just campaign completion, in the next cycle.

For practitioners

• Define authority-bearing entities in scope Inventory human accounts, service accounts, API keys, tokens, certificates, and autonomous agents as one control population. Separate registered identities from hidden or externally created authorities so audit scope matches the real environment. This is the starting point for any authority review.
• Test runtime privilege, not just directory entitlements Validate what each entity can do after role inheritance, token scope, delegated permissions, and connected-system trust are applied. Compare the results against the approved access model and document any mismatch as an audit exception.
• Capture time-bound evidence for issuance and revocation Require logs that show when credentials were created, when they were used, and when they were revoked. Tie those records to the actor, system, and authority path so the evidence survives a post-incident review.
• Bind AI agents to traceable control-plane identities Assign each agent a distinct governance record that links tool access, delegation, and action logging. Without that linkage, downstream logs may show only the application or client, which weakens accountability and incident reconstruction.

Key takeaways

• Identity governance is still necessary, but it no longer covers the full authority surface created by NHIs and AI agents.
• Periodic certification can miss hidden service accounts, ephemeral credentials, and autonomous agents that operate outside enrollment workflows.
• Practitioners need continuous authority evidence across issuance, use, escalation, and revocation if they want defensible control assurance.

Key terms

• Authority Governance: Authority governance is the practice of controlling how access is created, used, escalated, and revoked across every entity that can act on enterprise systems. It extends beyond identity records to runtime privilege, audit evidence, and delegated machine actions.
• Shadow NHI: A shadow NHI is a non-human identity that exists outside normal governance workflows and is therefore not reliably inventoried, reviewed, or attested. Examples include orphaned keys, untracked tokens, and agent credentials created outside formal enrollment.
• Effective Privilege: Effective privilege is the real access an entity can exercise after inheritance, delegation, token scope, and connected-system trust are applied. It is often broader than the permissions shown in an identity repository, which is why runtime validation matters.
• Control-Plane Audit Trail: A control-plane audit trail is the record that links an identity, its authority, and the action it performed at the point of use. For NHIs and agents, it is the most defensible evidence because downstream logs often lose actor context.

What's in the full article

The source article covers the operational detail this post intentionally leaves for the source:

• The auditor question set that distinguishes coverage from completion across human and non-human populations.
• The practical differences between IGA review workflows, PAM enrollment, and continuous authority evidence.
• The control and evidence expectations for AI agent actions, including what logs should preserve for auditability.
• The implications of current regulatory scrutiny for service accounts, API integrations, and machine identities.

👉 The source article expands the auditor question set and the control assumptions behind it.

Deepen your knowledge

Authority governance for NHIs and AI agents is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that must prove continuous control rather than periodic review, it is worth exploring.