TL;DR: AI security has moved past deterministic controls, with identity, data, and intent needing to be correlated as agents act at machine speed, according to Cyera. The governance break is that traditional IAM and DLP assumptions were built for predictable software, not autonomous execution paths that can change behaviour mid-session.
At a glance
What this is: Cyera’s SACR-based Technoscope argues that secure AI adoption now depends on data-centric security tied to identity and intent correlation.
Why it matters: For IAM and security teams, the implication is that human, NHI, and agentic controls can no longer be managed as separate silos when runtime AI behaviour can reshape access and data exposure.
👉 Read Cyera's Technoscope analysis of unified agentic defence platforms
Context
The core problem is not just AI adoption, but the mismatch between deterministic security controls and autonomous systems that can reason, select actions, and move across data contexts at runtime. In that environment, identity governance, data governance, and runtime enforcement stop being separate workstreams and become one control problem.
Cyera’s source article uses SACR’s February 2026 Technoscope to argue for a Unified Agentic Defense Platform model built around identity, data, and intent correlation. That framing matters to IAM teams because it pushes AI security out of a perimeter mindset and into the same governance model used for sensitive workloads, privileged access, and shadow AI oversight.
Key questions
Q: How should security teams govern AI agents that can change actions at runtime?
A: Security teams should govern runtime AI by correlating identity, data, and intent before trusting an action path. If the system can select tools or alter its sequence mid-session, a static access policy is not enough. The control objective becomes contextual verification of what the agent is doing, why it is doing it, and whether the data touched matches the approved purpose.
Q: Why do traditional IAM and DLP controls fail for autonomous AI systems?
A: Traditional IAM and DLP controls fail because they assume predictable workflows and stable access patterns. Autonomous systems can generate new execution paths, change tools, and move across data contexts at runtime, which makes pre-set rules too coarse. Teams need governance that evaluates live behaviour, not just entitlements or classifications.
Q: What do security teams get wrong about AI-driven insider risk?
A: They often treat insider risk as a matter of user intent alone. For autonomous systems, a legitimate identity can be manipulated into unsafe behaviour, creating a synthetic insider problem. The governance failure is ignoring the combination of trusted identity and untrusted runtime purpose.
Q: How can organisations tell whether their AI security model is actually working?
A: They should test whether the control stack can explain who acted, what data was touched, and what purpose the action served. If those three signals cannot be correlated in one incident view, the model is likely monitoring access without governing behaviour. That is a visibility gap, not a complete AI security posture.
Technical breakdown
Why identity, data, and intent must be correlated for agentic AI
Agentic AI changes the control plane because the system no longer just processes input. It interprets context, selects actions, and can move from analysis to execution without a human approval loop. That means identity alone is insufficient, because a legitimate agent can still become a synthetic insider if its intent is manipulated or its data context is poisoned. Correlating identity, data, and intent gives defenders a way to distinguish authorised operation from unsafe runtime behaviour. In practice, this is the difference between logging access and understanding why access is happening.
Practical implication: teams should evaluate whether their current telemetry can connect who acted, what data was touched, and why the action occurred.
What breaks when deterministic controls meet autonomous systems?
Traditional firewalls, CASBs, and static DLP rules assume software behaves predictably and that policy can be applied before or after the event. Autonomous systems can shift tools, prompts, and data paths during execution, which makes fixed rules brittle and often too late. The architectural issue is not just speed. It is that the control was designed for known workflows, while agentic systems create novel workflows at runtime. Once that happens, visibility gaps are not a side effect. They are the expected outcome of using legacy control logic against probabilistic execution.
Practical implication: map where current controls depend on fixed execution paths and identify the agent workflows they cannot inspect in real time.
What is the contextual trinity in UADP architecture?
The contextual trinity is a useful shorthand for the three signals a defence stack needs to govern agentic systems effectively: identity, data, and intent. Identity tells you which actor is operating, data tells you what is being touched, and intent explains the purpose or direction of the action. Without all three, security teams may see an approved identity touching sensitive data but miss that the underlying objective has shifted. That is why the architecture matters. It is not just a better classification engine. It is a governance model for runtime interpretation.
Practical implication: design monitoring and policy decisions so they can consume intent-level context instead of relying only on access and classification events.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Data-centric security is becoming the operating assumption for agentic governance. The article’s central claim is that AI security cannot be reduced to perimeter controls or isolated model protection because agents move through data, identity, and intent in one runtime loop. That means data is not a downstream asset to protect after identity is sorted. It is the control surface that makes the rest of the governance model intelligible. Practitioners should treat that as a change in architecture, not a tooling preference.
The contextual trinity is the right lens for the category because it captures the actual decision problem. Identity tells you who is acting, data tells you what is exposed, and intent tells you whether the action is aligned with the authorised purpose. A security programme that tracks only one of those signals will misread legitimate activity as safe or unsafe activity as normal. The implication is that agentic AI security requires correlated context, not another isolated dashboard.
Static security controls were designed for deterministic software, not autonomous execution. That assumption fails when the actor is autonomous because the system can generate novel outputs, select tools dynamically, and act at machine speed without a human approval gate. The implication is not simply that teams need more monitoring. It is that existing governance assumptions about stable workflows, reviewable access, and predictable timing no longer hold.
UADP reflects a broader market shift from bolt-on AI protections to control-plane thinking. The article positions the category as a response to fragmented tooling that cannot keep up with AI-driven data movement and runtime decisions. That suggests the market is moving toward integrated governance models where data security, identity monitoring, and response orchestration are treated as one design problem. Practitioners should expect consolidation around platform-level control rather than point fixes.
Autonomous remediation is a governance milestone only if the underlying evidence model is trustworthy. The source argues for machine-speed remediation, but remediation at speed depends on high-confidence classification and traceability first. Without reliable context, automation just compounds error faster. The implication for security leaders is to define where automation can act safely and where human escalation must remain mandatory.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even as 53% expect AI to run major portions of their infrastructure autonomously within three years.
- That combination of over-privilege and low preparedness shows why teams should study Ultimate Guide to NHIs , Key Challenges and Risks before scaling agentic systems.
What this signals
Identity blast radius: once AI systems can act at machine speed, the relevant governance question is no longer whether access was granted, but how far the resulting action can spread before a human notices. The article’s framing points toward a future where runtime context matters more than provisioning logic, especially for sensitive data and privileged workflows.
With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the governance gap is already visible in entitlement policy. Teams should expect pressure to move AI controls closer to data and runtime evidence, not just access review cadences.
The practical signal for security programmes is that agentic AI will force convergence across IAM, DSPM, and runtime detection. Policies built for static identities will need to be revalidated against workflows that can reason, select tools, and affect data without deterministic paths.
For practitioners
- Map agentic workflows to identity, data, and intent signals Identify which AI workflows require all three signals before policy decisions can be trusted. Prioritise sensitive data paths, privileged actions, and any workflow that can execute without a human approval gate.
- Review controls that assume deterministic software Inventory firewalls, CASBs, and static DLP rules to find where they depend on fixed execution paths. Replace those assumptions with runtime inspection points for systems that can change tools or data paths mid-session.
- Separate synthetic insider risk from ordinary misuse Treat a legitimate agent manipulated into exfiltration as a distinct governance case. Update monitoring so policy can detect when a permitted identity behaves outside its intended business purpose.
- Use data classification to drive AI governance Anchor model and agent controls in business-sensitive data rather than generic AI policy. That gives security teams a practical way to scope enforcement, escalation, and review thresholds around actual exposure.
Key takeaways
- Agentic AI changes the security problem from access management to runtime behaviour governance across identity, data, and intent.
- Legacy controls built for deterministic software cannot reliably interpret autonomous workflows that change tools and data paths mid-session.
- Security teams need correlated context and data-centric controls before they can trust autonomous AI at enterprise scale.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic runtime behaviour and tool use are central to the article. | |
| NIST AI RMF | The article centres on governance, risk, and trust for AI systems. | |
| NIST CSF 2.0 | PR.AC-4 | Access control must account for dynamic AI-driven activity. |
Apply AI RMF governance to define ownership, oversight, and escalation for autonomous AI behaviour.
Key terms
- Unified Agentic Defense Platform: A Unified Agentic Defense Platform is a security architecture designed to govern AI systems that act, choose tools, and affect data at runtime. It combines identity, data, and intent signals so defenders can understand behaviour rather than only list access. The concept reflects the shift from static control planes to runtime governance.
- Contextual Trinity: The contextual trinity is the three-part signal set of identity, data, and intent used to evaluate agentic behaviour. Identity shows who is acting, data shows what is being touched, and intent explains the purpose of the action. In autonomous environments, all three are needed to separate authorised operation from manipulated or unsafe execution.
- Synthetic Insider: A synthetic insider is a legitimate AI or agent identity that is manipulated into performing harmful actions, such as exfiltration or unauthorised data movement. The risk is not stolen credentials alone, but trusted runtime behaviour being redirected toward an unsafe outcome. This makes insider-style abuse possible without a human attacker directly holding the identity.
- Autonomous execution layer: The autonomous execution layer is the part of an AI system where decisions become actions without a human approval gate between them. It is where the system selects what to do, which tools to use, and when to act. Security teams must govern this layer differently from ordinary automation because timing and intent can change in-session.
Deepen your knowledge
Agentic AI governance and identity correlation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous systems and the data they touch, it is worth exploring.
This post draws on content published by Cyera: SACR names Cyera an innovator in the 2026 UADP Technoscope. Read the original.
Published by the NHIMG editorial team on 2026-03-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
