TL;DR: Business process automation is moving toward systems that can reason, adapt, and act with greater autonomy across disconnected applications as teams push for efficiency and visibility in 2026, according to Opnova. The real governance change is that application identity and access controls now have to assume more dynamic machine behaviour than traditional workflow automation was built for.
NHIMG editorial — based on content published by Opnova: Closing the Year With Gratitude and Looking Ahead
Questions worth separating out
Q: How should security teams govern agentic AI in disconnected applications?
A: Security teams should govern agentic AI by separating deterministic automation from systems that can choose actions at runtime, then tying entitlement review to the applications they actually touch.
Q: Why do disconnected applications create more risk when automation becomes agentic?
A: Disconnected applications create more risk because identity state is already fragmented, which makes provisioning and revocation harder to keep consistent.
Q: When does least privilege stop being reliable for autonomous systems?
A: Least privilege becomes less reliable when the system can adapt its execution path at runtime.
Practitioner guidance
- Inventory automation that is becoming agentic Separate rule-based workflows from systems that can choose actions at runtime, then document where human approval still exists and where it does not.
- Trace identity governance across disconnected applications Map where provisioning, recertification, and revocation depend on manual reconciliation between applications.
- Reassess least-privilege assumptions for adaptive systems Review whether current entitlements still make sense once a system can alter its own execution path, call additional tools, or chain tasks differently from the original design intent.
What's in the full article
Opnova's full blog covers the operational detail this post intentionally leaves for the source:
- The vendor’s specific view of how agentic AI is changing business process automation in 2026.
- Implementation framing for teams trying to automate disconnected applications faster.
- The company’s examples of cross-team collaboration and process transformation.
- The closing message about how Opnova positions its work with customer teams.
👉 Read Opnova's year-end blog on agentic AI and application governance →
Agentic AI and application governance: what changes for IAM teams?
Explore further
Agentic AI turns application governance into a runtime identity problem. Once systems can reason, adapt, and act with more autonomy, the old assumption that automation is fully predictable no longer holds. That changes how practitioners think about approval, entitlement scope, and oversight across disconnected applications. The conclusion is simple: governance has to follow behaviour, not just configuration.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why disconnected application governance so often starts with blind spots rather than policy gaps.
A question worth separating out:
Q: What should IAM teams do before adopting agentic AI workflows?
A: IAM teams should first identify which workflows remain script-driven and which ones can now reason and act with less direct oversight. Then they should check whether access, review, and offboarding processes can still operate cleanly across each application boundary. If they cannot, the governance model is not ready for the shift.
👉 Read our full editorial: Agentic AI shifts application governance from task automation