Notifications
Clear all
Topic starter
07/06/2026 8:10 pm
TL;DR: 83% of enterprises already use AI in daily operations, but only 13% have strong visibility into how it is being used, leaving governance, data security, and regulatory control behind as agents start calling tools and APIs independently, according to Cyera. The core issue is that traditional review cycles assume stable, human-paced access, while agentic systems move faster than existing guardrails can observe or certify.
NHIMG editorial — based on content published by Cyera: AI Governance for the Agentic Era
Questions worth separating out
Q: How should security teams govern agentic AI systems in production?
A: Security teams should govern agentic AI systems as runtime identities with data access, tool access, and change authority.
Q: Why do agentic AI systems create more risk than chatbots?
A: Agentic AI systems create more risk because they can execute multi-step tasks, call tools, and write data without waiting for a new human prompt.
Q: What breaks when AI governance is only a one-time review?
A: A one-time review breaks as soon as the agent gains a new tool, a new dataset, or a new workflow.
Practitioner guidance
- Inventory every agent and shadow AI workflow Build a complete register of approved and unapproved agentic systems, including the tools, APIs, and datasets each one can reach.
- Scope agent access to task-specific boundaries Limit each agent to the minimum write, read, and execution rights needed for its current workflow.
- Move AI governance into the delivery pipeline Apply classification, lineage, and retention checks where data is created and consumed, not after deployment.
What's in the full article
Cyera's full blog post covers the operational detail this post intentionally leaves for the source:
- The article lays out a 90-day phased rollout for discovery, design, enforcement, and improvement across AI systems.
- It also breaks down the governance committee model, including which teams own policy, evidence, and control operation.
- Readers will find specific examples of runtime guardrails such as prompt filters, logging, approval flows, and release gates.
- The post maps its recommended controls to NIST AI RMF, ISO/IEC 42001, and the EU AI Act for teams building a formal programme.
👉 Read Cyera's analysis of AI governance for the agentic era →
Agentic AI governance and the visibility gap teams are missing?
Explore further
07/06/2026 9:58 pm
AI governance has already become an identity problem, not just a model problem. The article's own numbers show the gap: adoption is common, while visibility is weak. That combination means organisations are granting machine-driven systems operational reach faster than they are building control over who or what is acting. The implication is that AI programmes now need identity governance discipline, not only policy language.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- In the same study, 72% of organisations said they have experienced or suspect they have experienced an NHI breach, with 46% confirming one outright.
A question worth separating out:
Q: Who is accountable when an autonomous AI agent causes a data or process incident?
A: Accountability should sit with the business owner, system owner, and control owner together, because agentic systems cross application, data, and security boundaries. Frameworks such as NIST AI RMF and zero trust help assign responsibility, but the organisation still needs named ownership for every agent and every connected action path.
👉 Read our full editorial: AI governance for agentic systems exposes the visibility gap
