TL;DR: CSA’s first Agentic AI Security Innovator Market Map places Knostic across Governance, Observability, and Supply Chain Integrity, signalling that agentic AI security is maturing into a control-surface problem rather than a point-solution market, according to Knostic. The real question for practitioners is whether their current controls can govern agent behaviour, visibility, and upstream supply inputs as one operating model.
At a glance
What this is: CSA’s first Agentic AI Security Innovator Market Map frames agentic AI security as a three-part control surface: governance, observability, and supply chain integrity.
Why it matters: It matters because IAM, PAM, and AI security teams now need to decide how agent policy, runtime visibility, and tool-chain trust fit into one governance model.
👉 Read Knostic’s coverage of CSA’s Agentic AI Security Innovator Market Map
Context
Agentic AI security is moving from a narrow conversation about prompts and chat interfaces to a broader governance problem. When AI agents can select tools, consume data, and act in production, security teams need controls that cover behaviour, visibility, and the systems that shape the agent’s decisions.
The CSA market map is relevant because it reflects how buyers are starting to evaluate this space against control expectations, not just feature lists. For identity teams, the intersection is direct: agent permissions, delegated access, and the trust placed in MCP servers and extensions all behave like identity governance problems, not just AI tooling questions.
Key questions
Q: How should security teams govern AI agents that can choose tools at runtime?
A: Security teams should treat runtime tool choice as an authorization problem, not only a model safety problem. Define task-scoped permissions, bind each agent to approved data sources and actions, and enforce logging at the point where the agent actually executes. Governance must be paired with runtime visibility or it will miss unsafe delegation.
Q: Why do AI agents create IAM and PAM issues for enterprise teams?
A: AI agents create IAM and PAM issues because they behave like software entities that act on behalf of users and services. That means they can inherit delegated access, reach privileged systems, and operate outside traditional human approval loops. Teams need identity controls that scope, observe, and revoke that access as a managed lifecycle.
Q: What do security teams get wrong about agentic AI supply chain risk?
A: They often focus on the model and ignore the components that shape the agent’s behaviour, such as MCP servers, extensions, prompts, and rules. Those inputs can carry trust, permissions, and change risk. If they are not governed, the enterprise cannot reliably control what the agent will do in production.
Q: How should organisations decide whether existing identity controls are enough for agentic AI?
A: Organisations should ask whether current controls can answer three questions: what the agent may do, what it actually did, and which trusted components influenced that action. If any of those answers is unclear, existing identity controls are too fragmented for agentic AI. A coherent trust chain is the minimum standard.
How it works in practice
Why governance alone cannot secure agentic AI
Governance defines what an agent is allowed to do, but policy language does not enforce itself at runtime. In agentic systems, the agent may choose actions dynamically, which means a static approval model can miss unsafe tool use, unexpected data access, or policy drift after deployment. Governance becomes effective only when it is paired with controls that can inspect and constrain actions as they occur.
Practical implication: Map policy statements to runtime enforcement points, not just documentation and review workflows.
Observability for agent behaviour and output risk
Observability in agentic AI means more than logging prompts. Security teams need to see what the agent touched, which tools it called, what data it ingested, and what it returned to users or downstream systems. Without that, investigators cannot distinguish intended automation from unsafe delegation, and governance teams cannot prove that controls are working as designed.
Practical implication: Instrument agent sessions so access, tool calls, and outputs are traceable end to end.
Supply chain integrity for MCP servers and extensions
Agentic AI inherits risk from the components it trusts, including MCP servers, plugins, prompts, rules, and connectors. If any of those inputs are compromised or over-permissive, the agent can be steered into actions the enterprise never intended. That makes supply chain integrity part of the identity and authorization problem, because the trust boundary extends beyond the model itself.
Practical implication: Treat agent dependencies as governed trust inputs and review them like privileged integrations.
NHI Mgmt Group analysis
Governance, observability, and supply chain integrity are now one problem, not three. The CSA market map is useful because it rejects the false comfort of treating agentic AI security as a single-control exercise. Policy without runtime visibility leaves blind spots, while visibility without trustworthy dependencies still allows unsafe execution paths. For identity and AI security teams, the practical conclusion is that agentic AI must be governed as a full trust chain, from policy definition to tool execution.
Agentic AI creates an identity governance problem for software entities. Once an agent can decide which tools to use and when to use them, the enterprise is no longer managing only a model. It is managing a runtime entity with delegated access, operational context, and external dependencies. That pushes the discipline closer to IAM and PAM thinking, especially where agent permissions intersect with privileged systems, API keys, and delegated access paths.
Supply chain integrity is the hidden control plane for agentic AI. The market map’s inclusion of MCP servers, extensions, prompts, and rules reflects a reality many programmes still underweight. If those inputs are not controlled, the enterprise cannot meaningfully claim it controls the agent. The named concept here is agent trust-chain drift: the gap between intended agent behaviour and the accumulated trust in upstream components that shape it. Practitioners should treat that drift as a governance failure, not a tuning issue.
The category is maturing because buyers are asking for coherent control surfaces, not isolated tools. That shifts the market away from point capabilities and toward architectures that can prove coverage across decision, visibility, and dependency layers. For security leaders, the decision is less about whether to adopt agentic AI controls and more about whether existing governance models can absorb agent behaviour without fragmentation. The conclusion is to evaluate agentic AI security as a programme design problem, not a feature comparison.
Identity teams should read this as a warning about delegated access becoming the default interface for AI systems. When the agent acts on behalf of users, services, or workflows, access governance must account for non-human behaviour that changes at runtime. That means privilege assignment, tool authorization, and session visibility all need to be reviewed together. The practitioner takeaway is clear: if agent delegation is in scope, IAM and PAM can no longer remain downstream observers.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security.
- For a broader identity lens, see Ultimate Guide to NHIs , 2025 Outlook and Predictions for how NHI governance is evolving across workloads, service accounts, and agentic systems.
What this signals
Agentic AI security will increasingly be judged by whether teams can prove control over delegated actions, not whether they can describe policy intent. That shifts operational responsibility toward identity, telemetry, and trust-boundary management, especially where agents touch privileged services or regulated data.
Agent trust-chain drift: the space between intended agent behaviour and the permissions inherited from connectors, extensions, and upstream inputs will become a recurring governance failure mode. Teams should expect audit requests to focus on traceability, approval records, and whether trusted dependencies were reviewed as privileged assets.
The practical signal for programmes is that AI governance, IAM, and PAM cannot evolve separately if agents are in scope. Teams that already manage third-party OAuth risk, service account privilege, and access review will have a head start, but only if those controls are extended to agent runtime behaviour and dependency change control.
For practitioners
- Map agent permissions to explicit business tasks Catalogue every tool, connector, and MCP server an agent can reach, then tie each one to a named business use case and approved data scope. Remove implicit access paths that are not justified by the task. Use the agent trust-chain drift concept to review whether the current dependency set still matches intended behaviour.
- Instrument runtime observability for agent actions Log tool calls, data sources accessed, outputs generated, and escalation events so investigators can reconstruct the full agent session. Make sure telemetry supports both security review and compliance evidence. Align the logging model with the need to trace delegated actions across identity and application layers.
- Review trusted dependencies as privileged integrations Assess MCP servers, extensions, prompts, and rules for over-permissioned access, weak ownership, and untracked changes. Put approval, review, and change-control around these inputs rather than treating them as low-risk configuration items. Where dependencies touch sensitive systems, apply the same governance discipline used for privileged service accounts.
- Align agent governance with IAM and PAM controls Define who can authorize agent access, how access is scoped, and how runtime exceptions are handled when the agent needs more authority than planned. Ensure approvals are visible to identity teams and that emergency elevation paths are limited and time-bound.
Key takeaways
- CSA’s market map shows that agentic AI security is becoming a control-surface discipline, not a feature checklist.
- Governance, observability, and supply chain integrity need to be treated as one trust chain because gaps in any layer weaken the whole model.
- Identity and privilege teams should now evaluate whether existing IAM and PAM controls can govern software entities that choose actions at runtime.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The post is about agentic AI governance, observability, and supply chain integrity. | |
| NIST AI RMF | GOVERN | AI governance ownership and accountability are central to the article. |
| NIST CSF 2.0 | PR.AC-4 | Agent permissions and delegated access align with least-privilege access management. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly relevant to controlling agent runtime authority. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | Trusted agent access can be abused to reach data and systems beyond intended scope. |
Assign explicit governance ownership for agentic AI access, monitoring, and exception handling.
Key terms
- Agent Trust-Chain Drift: The gradual gap between the agent behaviour an enterprise intends and the access, dependencies, and runtime conditions that actually shape what the agent can do. It matters because trusted inputs such as connectors, extensions, and prompts can expand authority without a deliberate governance decision.
- Observability For Agentic AI: The ability to reconstruct what an AI agent accessed, which tools it used, and what outputs it produced during a session. This is more than logging prompts. It provides the evidence needed for security review, incident investigation, and compliance validation.
- Supply Chain Integrity: The assurance that the tools, extensions, prompts, rules, and connected services feeding an AI agent are trustworthy and controlled. In agentic environments, this extends the security boundary beyond the model and into the components that influence runtime decisions.
What's in the full announcement
Knostic's full company news covers the operational detail this post intentionally leaves for the source:
- How the Kirin capability is positioned across AI coding environments, extensions, and agent behaviour
- The specific control themes Knostic associates with governance, observability, and supply chain integrity
- Examples of where the vendor says agentic AI security breaks down across enterprise deployments
- The broader product context around data leakage detection, oversharing, and AI governance
👉 Knostic’s full post covers the categories, control themes, and market implications in more detail.
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is suited to security practitioners who need a structured way to govern delegated access, runtime controls, and identity lifecycle risk.
Published by the NHIMG editorial team on 2026-06-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org