Agentic AI and auditing: what identity teams need to rethink

TL;DR: Agentic AI is forcing auditors to treat every AI agent as a non-human identity with access, control, and evidence requirements, according to ConductorOne’s discussion with BARR Advisory. The central shift is that traditional audit cadences assume stable identities and reviewable access, while agentic systems can change work, scope, and accountability faster than those controls were built to track.

NHIMG editorial — based on content published by ConductorOne: Here's What Your Auditor Thinks About Agentic AI

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should govern AI agents as non-human identities with explicit ownership, scope, and auditability.

Q: Why do agentic AI systems complicate audit and compliance processes?

A: Agentic AI complicates audit and compliance because it can complete actions across systems faster than periodic review cycles can observe.

Q: What do organisations get wrong about AI agent identity risk?

A: The most common mistake is treating an AI agent as a feature instead of a governed identity subject.

Practitioner guidance

• Inventory AI agents as governed identities Create a register of every AI agent, the human or team responsible for it, the data it can reach, and the workflows it can invoke.
• Turn acceptable use policy into access boundaries Map allowed data types, tools, and workflows to explicit entitlement rules and review them before an agent enters production.
• Move audit evidence upstream into process logs Capture configuration changes, approval events, workflow triggers, and entitlement changes at the point of execution.

What's in the full article

ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:

• How BARR Advisory thinks about AI in audit work, including the split between front-stage and backstage use cases.
• The article’s practical guidance on acceptable use policy, stakeholder alignment, and choosing a framework as a governance baseline.
• ConductorOne's discussion of how auditors can use AI for readiness assessments and real-time analysis without losing professional judgment.
• The original interview framing that connects audit process design with AI adoption in cloud-first environments.

👉 Read ConductorOne's discussion of agentic AI, auditing, and identity governance →

Agentic AI and auditing: what identity teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →