By NHI Mgmt Group Editorial TeamPublished 2026-08-02Domain: EventsSource: Zenity

TL;DR: As the EU AI Act enters enforcement on August 2, 2026, deployers face a visibility and governance problem: many cannot reliably identify where AI agents run, what data they can access, or what actions they can take, according to Zenity. That gap makes continuous monitoring and action inventory a compliance issue, not just an operational one.


At a glance

What this is: This is an on-demand webinar about what EU AI Act enforcement means for deploying and governing AI agents, with the key finding that many teams still lack visibility into agent location, access, and permitted actions.

Why it matters: It matters because IAM, PAM, and governance teams need to treat AI agents as managed identities with explicit scope, monitoring, and accountability across their lifecycle, not as informal automation.

👉 Watch Zenity's on-demand webinar on EU AI Act deployment and AI agent governance


Context

The core governance problem is simple: many enterprises do not yet know where their AI agents live, what data they can reach, or which actions they are allowed to take. That is an identity and access management problem before it is a legal one, because unclear scope turns AI deployment into unmanaged perimeter expansion.

The EU AI Act raises the bar for deployers who are already struggling with visibility, inventory, and continuous oversight. For identity teams, the practical question is not whether agents are useful, but whether they can be governed as accountable actors with bounded access, traceable actions, and a lifecycle that can be reviewed.

This topic sits at the intersection of agentic AI governance, non-human identity control, and enterprise compliance readiness. The starting position is typical: organisations have outpaced their governance models faster than they have built the identity controls needed to keep up.


Key questions

Q: How should security teams govern AI agents under the EU AI Act?

A: Security teams should govern AI agents as managed identities with explicit owners, defined access, and continuous monitoring. The important step is to connect deployment approval to runtime evidence so the approved state and the actual state can be compared over time. That is what makes compliance and accountability defensible.

Q: Why do AI agents create governance problems for IAM teams?

A: AI agents create governance problems because their access can span multiple platforms, data sets, and tools, while their behaviour changes after deployment. Traditional IAM often captures initial permissioning but not the ongoing actions that prove the scope is still valid. That leaves teams with gaps in visibility and accountability.

Q: What breaks when AI agents are deployed without an inventory?

A: Without an inventory, teams lose the ability to answer basic questions about where agents live, what they can reach, and who owns them. That breaks risk assessment, audit preparation, and incident response because the organisation cannot quickly map behaviour back to a responsible system or person.

Q: Who should be accountable for AI agent behaviour after deployment?

A: Accountability should sit with both the business owner and the technical owner of the agent identity, backed by clear review and escalation paths. If ownership is informal, governance becomes fragmented and the organisation cannot demonstrate who approved access, who monitors drift, or who can intervene when behaviour changes.


Background and context

Where AI agent governance breaks down in enterprise deployments

AI agents become a governance problem when they move from isolated prototypes into enterprise environments with access to tools, data, and external systems. At that point, security teams need to understand identity scope, token use, delegated permissions, and the boundaries of each agent’s runtime behaviour. The challenge is not only authentication, but continuous authorisation and observability across systems that may be distributed across platforms and business units. If those controls are missing, the organisation cannot reliably answer basic questions about who or what acted, against which data, and under what authority.

Practical implication: build an inventory of every AI agent, its owning system, and the resources it can reach before expanding deployment.

Why continuous monitoring matters more than one-time approval

The EU AI Act pressure point is not simply initial approval, but ongoing monitoring of what agents actually do after deployment. AI systems can change behaviour through new prompts, new tool connections, updated workflows, or shifting data access, which means a static approval record quickly becomes stale. For security and governance teams, this turns agent monitoring into a control plane requirement. Without telemetry on actions, data access, and exceptions, the organisation cannot demonstrate that the deployed state still matches the approved state.

Practical implication: require runtime logging and periodic review of agent actions, data access, and integrations, not just pre-deployment sign-off.

How deployment under regulation changes identity accountability

When AI agents are deployed across platforms, accountability fragments unless ownership is assigned at the identity layer. That means an agent should be tied to a business owner, a technical owner, and a control model that defines its permissible actions, data boundaries, and escalation path. This is where AI governance converges with NHI practice: the agent behaves like an identity, so it must be managed like one. If responsibility is vague, remediation becomes slow and audit evidence becomes weak.

Practical implication: assign explicit owners for agent identities, tool access, and exception handling before regulators or auditors ask for evidence.


NHI Mgmt Group analysis

Agent visibility has become the first test of AI governance readiness. The article points to a familiar failure mode in a new setting: organisations can deploy AI agents faster than they can enumerate them. That creates governance blind spots across cloud platforms, embedded workflows, and business applications. The practical conclusion is that identity inventory is now a prerequisite for AI deployment, not a post-deployment clean-up task.

Continuous monitoring, not initial approval, is the control that determines whether agent behaviour stays within policy. AI agents can shift in scope as tools, prompts, and data sources change after launch. That means a one-time assessment cannot prove ongoing compliance or operational safety. Practitioners should treat runtime observation as the evidence layer for AI agent governance.

AI agents should be governed as non-human identities with explicit accountability, because informal ownership does not survive scale. The field is moving toward agentic systems that operate inside enterprise workflows, and that makes identity lifecycle, access scope, and exception handling non-optional. The implication is that IAM and security teams must bring AI agents into the same governance discipline used for other privileged non-human identities.

Deployment under the EU AI Act will widen the gap between teams that can evidence control and teams that can only describe policy. The article signals that many organisations are still early in understanding where their agents are and what they can do. That gap will separate mature programmes from those that cannot satisfy either internal risk review or external scrutiny.

Runtime governance gap: the article illustrates that AI risk often emerges after deployment, when agent actions diverge from the assumptions made during approval. That assumption fails when behaviour is shaped by changing context, tool access, and distributed execution. The implication is that AI governance models must stop treating deployment as the end of control.

From our research:

What this signals

Runtime governance gap: teams that cannot inventory AI agents will not be able to prove control under emerging regulation, because access scope and behaviour drift faster than annual review cycles. The practical shift is toward identity-led oversight, where ownership, monitoring, and exception handling are part of deployment from day one.

With 72% of organisations reporting or suspecting a breach of non-human identities, per our 2024 ESG Report, the compliance conversation is no longer theoretical. Agent deployment without lifecycle and access evidence will increasingly look like unmanaged identity sprawl.

Security teams should expect AI governance to converge with NHI lifecycle control. That means the same programme that manages secrets, ownership, and review cadence for service accounts will need to extend to AI agents, with evidence that runtime actions still match approved scope.


For practitioners

  • Inventory every AI agent and its control scope Create a living register of all agents, their owners, the platforms they run in, and the data and tools they can reach. Tie each entry to a business system and an accountable technical owner so the inventory can support audit and response.
  • Separate approval from monitoring Treat initial approval as a starting gate only. Add runtime logging for actions, data access, tool calls, and exceptions so security and compliance teams can compare approved scope with actual behaviour.
  • Define evidence for agent accountability Require named ownership, escalation paths, and review cadence for each agent identity. Without those evidence points, teams will struggle to demonstrate control when regulators or auditors ask how the deployment is governed.
  • Map agents into identity governance workflows Bring agent identities into lifecycle management, access review, and exception handling processes already used for other privileged identities. Use the same governance model to reduce policy drift across teams.

Key takeaways

  • AI agent deployment under the EU AI Act exposes a basic control gap: many organisations still cannot see where agents run or what they can do.
  • The operational risk is not just policy non-compliance, but the inability to prove that deployed agent behaviour still matches approved scope.
  • Identity inventory, runtime monitoring, and named accountability are the controls that turn AI agent governance from a claim into evidence.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AI agents with tools and data access map to agentic application risks.
NIST AI RMFThe article centers on AI governance, accountability, and ongoing monitoring.
NIST CSF 2.0PR.AC-4Agent access scope and accountability depend on managed authorisation.

Assess agent tool use, scope drift, and oversight against OWASP agentic application risks before deployment.


Key terms

  • AI Agent Identity: An AI agent identity is the set of credentials, permissions, ownership, and control boundaries assigned to an agent that can act across systems. Unlike a simple automation job, it must support traceability, review, and revocation because the agent can interact with data and tools over time.
  • Runtime Governance: Runtime governance is the discipline of watching what an identity actually does after deployment, not just what was approved beforehand. For AI agents, it includes telemetry, action logging, access boundaries, and exception handling so drift can be detected while the system is live.
  • Identity Inventory: Identity inventory is a complete record of the identities operating in an environment, including humans, service accounts, and AI agents. For non-human identities, it is the starting point for ownership, access review, and risk prioritisation because you cannot govern what you cannot enumerate.

What to expect at the briefing

Zenity's full on-demand webinar covers the operational detail this post intentionally leaves for the source:

  • A practical 10-week action plan for deployers assessing and monitoring AI agents across their environment.
  • Direct commentary from Zenity speakers on how the EU AI Act affects global deployment teams and governance workflows.
  • Guidance on taking inventory of agents, their access paths, and the actions they are allowed to perform.
  • A forward look at likely regulatory pressure from other legislative bodies affecting AI deployments.

👉 Zenity's full webinar covers the 10-week action plan, agent inventory priorities, and regulatory outlook for deployers.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-08-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org