Notifications
Clear all
Topic starter
11/06/2026 11:28 pm
TL;DR: Agentic AI is already used by 82% of organisations, while 96% of IT leaders say it is a growing security threat, according to JumpCloud. The central issue is that most security frameworks still assume human-paced decision-making, leaving autonomous actions, auditability, and access scope harder to govern in practice.
NHIMG editorial — based on content published by JumpCloud: agentic AI has become an important part of day-to-day business operations and introduces new governance and access risks
By the numbers:
- 82% of organizations use AI agents to automate tasks, analyze data, and make decisions that previously required human oversight.
- 96% of IT leaders recognize agentic AI as a growing security threat.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope.
Questions worth separating out
Q: What breaks when agentic AI is governed like a normal application account?
A: Security controls break down because agentic systems do not behave like fixed-function applications.
Q: Why do autonomous agents complicate least privilege in IAM programmes?
A: Least privilege is harder because the required access is not always knowable in advance, especially when the agent can branch into multiple tasks.
Q: How can security teams know whether agent governance is actually working?
A: Look for evidence that agent actions are attributable, bounded, and reviewable.
Practitioner guidance
- Treat every agent as a governed identity Assign a unique identity, ownership, and lifecycle state to each agent so it can be onboarded, reviewed, and decommissioned like any other privileged actor.
- Remove standing access wherever agent tasks are temporary Scope privileges to the current task or session, and revoke them when the workflow ends or the agent changes purpose.
- Require decision-context logging for every autonomous action Capture the trigger, selected tool, target system, and policy state for each meaningful agent action so investigations can reconstruct why the behaviour occurred.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- How the vendor recommends assigning unique identities to agents across onboarding, role updates, and decommissioning
- The full set of access scoping examples for time-bound and role-based agent permissions
- Operational guidance on building continuous monitoring and policy alerts for agent behaviour
- The article's plain-language explanation of how shared responsibility should work between security and business teams
👉 Read JumpCloud's analysis of agentic AI governance and identity risk →
Agentic AI governance gaps: are your controls keeping up?
Explore further
12/06/2026 8:07 am
Agentic AI governance exposes an assumption collapse, not just a control gap. Most IAM programmes assume privilege can be defined before execution because the identity's intent is stable enough to model. That assumption fails when an autonomous system can decide, retime, and chain actions during the session. The implication is that access governance must be built around runtime behaviour, not provisioning-time predictions.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent causes a compliance or data exposure issue?
A: Accountability should sit with the business owner that deployed the agent, not only the security team. Security sets policy and technical guardrails, but the deployer is responsible for the agent's behaviour and business impact. Without that split, ownership becomes fragmented and remediation slows down.
👉 Read our full editorial: Agentic AI governance is lagging behind autonomous access risk
