Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI governance policies: what decision-makers are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: 91% of U.S. data, privacy, and AI decision-makers say their organisations are developing or rolling out agentic AI, but only 48% are establishing formal AI governance policies and frameworks, according to Collibra. That mismatch shows adoption is outrunning governance, leaving identity, accountability, and control design exposed.

NHIMG editorial — based on content published by Collibra: Collibra Identified that Fewer Than 50% of Tech Decision-Makers Are Establishing AI Governance Policies, Which is Concerning

By the numbers:

Questions worth separating out

Q: How should security teams govern agentic AI before it reaches production scale?

A: Start by assigning each agent a clear owner, a defined purpose, and a review cadence.

Q: Why do static credentials create more risk for agentic AI systems?

A: Static credentials extend the life of access beyond the moment it is needed, which increases the blast radius if the agent misbehaves or the credential is exposed.

Q: What do organisations get wrong about AI governance policies?

A: They often treat AI governance as a model-risk or data-governance exercise and leave identity controls underneath it.

Practitioner guidance

  • Classify agentic systems as governed identities Inventory every AI system that can decide, select tools, or execute actions without human approval, and assign an owner, purpose, and review cadence to each one.
  • Replace standing access with task-scoped controls Limit agent permissions to the smallest viable set for the shortest viable duration, and avoid reusing the same token or credential across unrelated workflows.
  • Tie governance to audit evidence Require logs that show what the agent accessed, what action it took, and who approved its operating boundary before the next review cycle.

What's in the full report

Collibra's full report covers the operational survey detail this post intentionally leaves for the source:

  • Breakouts by implementation stage, including how many organisations are only in planning versus already building agentic AI internally.
  • Survey methodology and sample details from the Harris Poll, useful if you need to assess the strength of the findings.
  • Additional governance, bias, and transparency findings that help benchmark your own AI programme maturity.
  • The full set of decision-maker confidence scores for ROI, innovation, and governance across agentic AI initiatives.

👉 Read Collibra's survey on agentic AI governance, adoption, and policy gaps →

Agentic AI governance policies: what decision-makers are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Agentic AI governance is now an identity problem, not just an AI policy problem. When software can initiate action, select tools, and execute decisions at runtime, the governance question shifts from model quality to delegated authority. That changes the control surface for IAM, IGA, and PAM teams because the subject is no longer a passive workload but an actor with operational discretion. The implication is that agentic AI must be governed as a non-human identity class with explicit accountability.

A few things that frame the scale:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
  • Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

A question worth separating out:

Q: Who should own agentic AI access decisions in an enterprise?

A: Ownership should sit with the business and security functions that understand the workflow, with identity teams enforcing policy and evidence. No single team can safely manage agentic AI in isolation because the risk spans access, data, operations, and accountability. The ownership model must be explicit before broad rollout.

👉 Read our full editorial: Agentic AI governance gaps persist as adoption outpaces policy



   
ReplyQuote
Share: