SailPoint and Claude compliance API: AI platform identity governance

At a glance

What this is: SailPoint’s integration with Claude Compliance API is an identity governance move that brings visibility, access control, and NHI oversight to Claude Enterprise usage.

Why it matters: It matters because IAM teams now need consistent governance across human users, service identities, and AI agents, rather than treating AI platforms as outside the identity programme.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read SailPoint's analysis of Claude Compliance API governance for AI platforms

Context

AI platform access is now an identity problem, not just an application problem. When enterprises connect Claude Enterprise to business workflows, the governance question shifts from whether users can log in to whether the platform, its roles, and its agents are visible, approved, and accountable across the identity stack.

That is where existing IAM programmes start to strain. Human access models were built for named users and stable entitlements, while AI platform usage introduces Shadow AI risk, non-human identities, and a new class of access activity that can move faster than traditional review cycles.

For teams managing NHI, human IAM, and emerging AI governance together, the practical issue is alignment: the same controls that support certification, visibility, and privilege management must now extend into AI platform access without creating blind spots or false confidence.

Key questions

Q: How should security teams govern AI platform access in the enterprise?

A: Start by treating the AI platform as a governed identity surface, not a separate innovation layer. Map users, groups, roles, and any AI agents that touch it, then require ownership, approval, and periodic review. The goal is to make access attributable and revocable, with the same discipline applied to high-risk non-human identities.

Q: Why does shadow AI create an identity governance problem?

A: Shadow AI creates an identity governance problem because unapproved tools and agents can access enterprise data without being inventoried, owned, or recertified. That breaks attribution and makes revocation unreliable. Once AI usage sits outside the identity programme, security teams lose visibility into who or what is actually acting inside the environment.

Q: What breaks when AI platform access is managed like ordinary user access?

A: What breaks is the assumption that access is stable, human-owned, and easy to review in a later cycle. AI usage can be distributed, contextual, and agent-driven, so ordinary user access controls often miss the real scope of activity. That leaves privilege, usage, and accountability misaligned.

Q: When should organisations prioritise AI identity governance over new AI deployments?

A: They should prioritise it before broad deployment, because the first wave of AI usage often creates the largest blind spots. If the identity model, approval path, and review cadence are not defined early, the organisation inherits shadow usage and excess access that are harder to unwind later. Governance should precede scale.

How it works in practice

How AI platform identity governance works across users, roles, and agents

Identity governance for AI platforms starts by treating the platform as a governed access surface rather than a standalone tool. That means mapping who can use it, what roles are assigned, which groups inherit access, and which AI agents participate in the workflow. The control objective is not just authentication. It is continuous visibility into entitlement, usage, and the identity relationships that make AI activity attributable. In practice, this brings AI platform access into the same governance model as other enterprise identities, while preserving context about who is using the system and why.

Practical implication: teams should inventory AI platform identities and entitlement paths before they expand usage.

Why shadow AI is an NHI governance problem

Shadow AI appears when AI tools and agents are adopted faster than identity governance can classify and monitor them. In NHI terms, the problem is not only undiscovered software. It is undiscovered identity behaviour, where an AI platform or agent can access enterprise data and systems without being folded into the normal lifecycle, review, and exception processes. Once that happens, access decisions lose traceability and the organisation cannot reliably say which AI identities are active, who approved them, or whether they are still in scope.

Practical implication: define discovery and ownership controls for AI identities before users create ungoverned access paths.

Zero standing privilege and contextual access in AI platforms

Zero standing privilege matters because AI platform access should not rely on persistent, broad entitlements that outlive the task. Contextual access adds another layer by asking what the AI identity is doing, when it is doing it, and whether the current action still matches the approved business purpose. This is especially important when AI agents are part of the workflow, because the governance requirement becomes ongoing scope validation, not just one-time provisioning. The result is a tighter relationship between identity context, session control, and auditability.

Practical implication: align AI platform access with task-scoped entitlements and review the standing privilege baseline.

NHI Mgmt Group analysis

AI platform access has become part of the identity perimeter. This integration shows that enterprise identity security can no longer stop at user authentication or workforce IAM. When Claude Enterprise is brought into the governance model, the security question shifts to who, what, and which agent can use the platform, and under what authority. That is a programme-level change, not a feature update. Practitioners should treat AI platform access as an identity domain with its own policy, review, and attestation requirements.

Shadow AI is best understood as unmanaged NHI behaviour. The article is really about visibility gaps that arise when AI tools and agents are adopted without lifecycle control. Those gaps mirror the same governance failure modes seen in service accounts and API keys: unknown ownership, excessive access, and weak revocation discipline. The difference is speed and scale, because AI usage can proliferate across teams faster than traditional onboarding processes can absorb. Security teams should assume the blind spot will grow unless AI identities are explicitly governed.

Zero standing privilege becomes more relevant when the identity is a platform or agent. Persistent access assumptions work poorly when AI usage is contextual and task-driven. If an organisation allows broad, durable access into Claude Enterprise, it expands blast radius and weakens the meaning of approval. The control objective is to narrow the lifetime and scope of access so that AI activity remains tied to a business purpose, not a permanent entitlement.

Identity governance for AI tools will increasingly converge with NHI governance. The same disciplines that manage service accounts, API tokens, and workloads now apply to AI platform access because all of them represent non-human access paths that must be discovered, classified, and reviewed. That convergence will push IAM teams to stop separating “AI security” from identity governance. Practitioners should expect AI access to be assessed through the same evidence, ownership, and recertification model used for other high-risk non-human identities.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to the State of Non-Human Identity Security.
• The same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why AI platform governance is moving from optional to operational.
• For a deeper view of the control gap, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that AI identities now pressure in practice.

What this signals

AI governance is now being absorbed into the NHI programme. Teams that still separate AI tools from identity governance will struggle to keep pace with access sprawl, especially as platform usage spreads beyond core technical teams. The practical shift is toward inventory, ownership, and lifecycle control for every AI identity path, not just the named user behind it.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per the State of Non-Human Identity Security, AI platform integrations should be assessed through the same visibility lens. The programme risk is not theoretical adoption but uncontrolled delegation. Security leaders should expect AI access reviews to become a recurring source of governance debt.

Identity blast radius: the total business exposure created when AI platform access, agent behaviour, and inherited roles are governed separately. That exposure widens when teams approve access by project instead of by identity path, so the right response is to unify entitlement evidence across human and non-human actors.

For practitioners

• Classify AI platform identities in the NHI register Add Claude Enterprise users, groups, roles, and any agents to the non-human identity inventory so ownership and review can be assigned consistently.
• Map access paths before broad adoption Document which teams can create, approve, and inherit access to AI platforms, including group membership and role-based escalation paths.
• Apply zero standing privilege to AI usage Remove broad persistent access where possible and replace it with task-scoped permissions that expire when the business purpose ends.
• Extend access reviews to AI platform activity Include AI tools and agents in certification cycles, with evidence for ownership, purpose, and continued need rather than only user entitlement lists.

Key takeaways

• AI platform governance now belongs inside the identity programme, because access to Claude Enterprise can no longer be treated as a separate application concern.
• Shadow AI expands the same NHI problems seen in service accounts and API keys: weak ownership, poor visibility, and delayed revocation.
• Practitioners should align AI access with zero standing privilege, lifecycle control, and reviewable entitlement paths before adoption scales further.

Key terms

• Shadow AI: Shadow AI is the use of AI tools or agents that operate without clear ownership, approval, or oversight from the identity programme. In practice, it creates unmanaged access paths that may read data, call tools, or inherit roles without being visible in normal governance processes.
• AI Platform Identity: An AI platform identity is the set of user, role, and agent entitlements that determine how a platform can be accessed and used. For governance teams, it must be tracked like any other non-human identity because it can create real business access and audit obligations.
• Zero Standing Privilege: Zero standing privilege means access is not left permanently in place when it is not actively needed. For AI platforms and agents, the control matters because broad durable access can outlast the task, expand blast radius, and weaken accountability across sessions and workflows.
• Identity Blast Radius: Identity blast radius is the amount of damage that can result when an identity has more access, scope, or inheritance than it should. In AI contexts, it grows quickly when platform roles, agents, and delegated permissions are not governed as one access path.

Deepen your knowledge

AI platform identity governance and non-human identity lifecycle controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity policy into AI platforms, this is a practical place to build the baseline.

This post draws on content published by SailPoint: SailPoint Announces New Integration with the Claude Compliance API to Provide Enterprise-Grade Identity Security for AI Platforms. Read the original.