Gartner’s agentic AI TRiSM signal widens the NHI governance gap

At a glance

What this is: Gartner’s agentic AI TRiSM recognition shows that autonomous AI agents are forcing identity teams to rethink how access, behaviour, and control are governed.

Why it matters: It matters because agentic AI introduces non-human identities that can chain actions and touch sensitive systems, which means IAM, NHI, and human governance models can no longer stay separate.

By the numbers:

• Over 80% of Fortune 500 companies are already deploying these autonomous systems, oftentimes without adequate security guardrails.
• Only 44% have implemented any policies to govern AI agents, yet 92% agree governing AI agents is critical to enterprise security.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

👉 Read Zenity's analysis of Gartner's agentic AI TRiSM recognition and AI agent governance

Context

AI agent governance is the control problem that appears when software can choose actions, call tools, and touch data at runtime without a human approving each step. In the context of agentic AI, traditional IAM assumptions break down because the identity is no longer just authenticating to a service, it is actively operating across systems and data boundaries.

Zenity’s article uses Gartner’s TRiSM recognition as a market signal, but the real issue for practitioners is broader: autonomous agents now create identity surface area across SaaS, cloud, and endpoints. That makes visibility, permission scoping, and real-time monitoring identity problems as much as security problems, especially when the same agent can access email, databases, and external tools in one session.

Key questions

Q: What does agentic AI TRiSM mean for IAM and NHI teams?

A: It means governance can no longer stop at authentication and static entitlements. IAM and NHI teams need to understand what agents can decide, what tools they can invoke, and which systems they can touch at runtime. That makes identity ownership, access scope, and behavioural monitoring part of the same control model.

Q: Why do autonomous AI agents create more risk than ordinary automation?

A: Ordinary automation follows predefined rules, but autonomous agents can choose actions and sequence them dynamically. That makes their access harder to describe at provisioning time and harder to review after the fact. The risk comes from runtime discretion, not just from the fact that the system is automated.

Q: How should security teams govern AI agents that touch sensitive data?

A: They should treat each agent as a non-human identity with explicit ownership, least-privilege tool access, and telemetry on actual behaviour. Data access, memory use, and action chaining should all be visible so teams can prove whether the agent stayed within its approved purpose.

Q: What should organisations do when AI agent behaviour exceeds intended scope?

A: They should pause the specific agent workflow, inspect the connectors and permissions that enabled the behaviour, and compare the observed actions to the approved business purpose. If the agent crossed trust boundaries, the governance model failed to constrain execution, not just access.

Technical breakdown

Why agentic AI creates a different identity surface

Agentic AI systems differ from conventional apps because they can decide what to do next, select tools at runtime, and continue execution without a new human request. That means the security boundary is no longer only the login or API token. The meaningful boundary becomes the sequence of actions, the tools invoked, and the data touched during execution. For identity teams, this shifts the problem from static entitlement review to runtime control of non-human behaviour. Frameworks such as OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward governance of action, not just authentication.

Practical implication: treat agents as active identity subjects and review their execution paths, not only their credentials.

Why prompt filters do not secure autonomous agents

Prompt filtering only inspects one input in one moment, but autonomous agents can chain multiple prompts, tools, and data calls into a longer workflow. A malicious instruction can be hidden inside a benign-looking sequence, which is why step-level analysis matters. The article’s core point is that the agent itself is the attack surface, not merely the text it receives. That is a governance problem because access decisions, memory usage, and tool invocation all become part of the trust model. Traditional application security tools were not built to observe that entire path.

Practical implication: move from prompt review to step-level monitoring of tool use, memory, and downstream actions.

How lifecycle governance changes when the subject is an AI agent

Lifecycle governance for autonomous agents looks similar to human or NHI governance on paper, but the timing is different. Join, move, and leave events can happen instantly through software deployment, configuration changes, or delegated access updates. The practical issue is that agent privileges may be created, expanded, and consumed faster than a normal review cadence can observe. That makes lifecycle control a runtime problem as much as an approval problem. If the programme only checks entitlements periodically, it will miss the moment when an agent crosses from approved use into unintended access.

Practical implication: align lifecycle reviews with deployment and behaviour telemetry, not only periodic certification cycles.

Threat narrative

Attacker objective: The attacker wants to abuse trusted agent access to reach sensitive data, manipulate business systems, or trigger actions that bypass normal human review.

1. Entry occurs when an AI agent is deployed with access to business systems such as email, cloud services, or databases, often through legitimate integration paths.
2. Escalation happens when the agent chains actions across multiple systems or invokes external tools in ways the operator did not explicitly anticipate.
3. Impact follows when the agent reaches sensitive data, triggers unsafe actions, or becomes a viable target for hijacking and manipulation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent governance is no longer a subset of application security. Once software can select tools, chain actions, and operate across enterprise systems, the control problem becomes identity-centric. The important question is not whether the prompt was safe, but whether the actor had the right to assemble a harmful workflow in the first place. Practitioners should treat this as a governance boundary shift, not a tooling upgrade.

Agentic AI is exposing a runtime governance gap that static entitlements cannot close. Traditional access reviews assume a stable subject, a stable permission set, and a reviewable artefact. Agent behaviour changes during execution, which means entitlement alone no longer describes risk. The implication is that IAM programmes must account for behaviour as an identity property, not only issued access.

Autonomous agent behaviour is collapsing the assumption that access persists long enough to be reviewed. Standing privilege review was designed for conditions where access could be certified after the fact. That assumption fails when an agent can acquire, use, and discard access within a single operational session. The implication is that review cadence is no longer the primary control variable for this class of identity.

Agent-centric security is becoming a category signal for the market, not just a product pattern. Gartner’s recognition of agentic AI TRiSM indicates that buyers are moving toward controls built around agent behaviour, lifecycle visibility, and execution context. That will pressure IAM, NHI, and security tooling to converge around a shared model of non-human governance. Practitioners should expect tighter scrutiny of products that only inspect prompts or isolated policies.

Identity governance for agents will increasingly need to bridge human approval, NHI controls, and autonomous behaviour. Agent adoption is not replacing existing identity disciplines, but it is forcing them into the same control plane. The most useful programmes will connect ownership, entitlement, and runtime action into one governance story. Practitioners should prepare for cross-domain policy design rather than siloed reviews.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• In the same research, 80% of organisations report that their AI agents have already acted beyond intended scope, including 39% that saw access to unauthorised systems and 23% that saw revealed access credentials.
• For a broader control model, see OWASP Agentic AI Top 10, which helps teams translate agent behaviour into practical governance and defence controls.

What this signals

Agentic AI is turning visibility into the first governance test. If teams cannot track what an agent accessed, they cannot credibly certify whether the agent stayed inside its purpose or crossed into sensitive systems. The operating model has to change from periodic access review to continuous evidence capture, especially when a single agent can span email, cloud services, and internal databases in one workflow.

With 92% of organisations saying AI agent governance is critical but only 44% having policies in place, the gap is no longer about awareness. The constraint is operational maturity, not vocabulary. Security leaders should expect internal pressure to connect AI agent policy, IAM ownership, and runtime monitoring into one programme instead of treating them as separate initiatives.

Agent-boundary loss is the concept practitioners should track. It describes the moment an AI agent’s approved purpose no longer matches its observed execution path, and it is where NHI governance, access control, and AI risk management converge. Teams should use the NIST AI Risk Management Framework to anchor ownership and the Ultimate Guide to NHIs to connect that ownership to lifecycle control.

For practitioners

• Map every agent to a named business owner Document who approves deployment, who reviews ongoing access, and who can remove the agent when risk changes. Without a clear owner, agent access becomes orphaned faster than periodic governance cycles can correct it.
• Review tool access as a separate control surface Inventory which tools, APIs, databases, and SaaS systems each agent can invoke, then narrow those permissions to the smallest workable set. A single broad integration can turn a harmless assistant into a high-impact identity path.
• Monitor agent execution paths, not just prompts Capture the sequence of calls, data touches, and outbound actions so you can see what the agent actually did. This is the only way to catch chained behaviour that looks benign at the input layer.
• Align recertification with deployment cadence Tie review triggers to changes in model, configuration, connector, and business use rather than waiting for quarterly certification. Runtime change is where the risk appears, so governance has to move at the same speed.

Key takeaways

• AI agents are no longer a side issue for security teams, because they now behave like non-human identities with runtime discretion.
• Zenity’s article and related industry research show that visibility and policy coverage are still behind agent adoption, which leaves compliance and breach response exposed.
• The control gap is shifting from credentials alone to execution paths, ownership, and behavioural governance, which means IAM, NHI, and AI programmes must converge.

Key terms

• Agentic AI: AI systems that can choose actions, call tools, and continue execution with limited or no human intervention. In identity terms, these systems behave like non-human actors whose risk is defined by runtime discretion, not just by the credentials they use.
• Non-Human Identity: Any identity used by software rather than a person, including service accounts, tokens, certificates, workloads, bots, and AI agents. The core governance issue is whether the identity has clear ownership, bounded privilege, and lifecycle control across its operating span.
• Agent-centric security: A security model that treats the AI agent itself as the thing being governed, not just the prompt, model, or hosting application. It focuses on what the agent can access, what actions it can chain, and how those actions are observed and constrained.
• Runtime governance gap: The mismatch between static access controls and the behaviour an identity shows while it is executing. For AI agents, this gap appears when policies describe intended use but do not capture the sequence of tools, data, and actions an agent can assemble in real time.

Deepen your knowledge

AI agent governance and non-human identity controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an agent governance programme from the same starting point, it is worth exploring.

This post draws on content published by Zenity: Zenity named a 2025 Cool Vendor in Gartner’s Agentic AI TRiSM report. Read the original.