Agentic AI governance policies: what decision-makers are missing

TL;DR: 91% of U.S. data, privacy, and AI decision-makers say their organisations are developing or rolling out agentic AI, but only 48% are establishing formal AI governance policies and frameworks, according to Collibra. That mismatch shows adoption is outrunning governance, leaving identity, accountability, and control design exposed.

NHIMG editorial — based on content published by Collibra: Collibra Identified that Fewer Than 50% of Tech Decision-Makers Are Establishing AI Governance Policies, Which is Concerning

By the numbers:

• 91% of technology leaders said that their organization is developing or rolling out agentic AI.
• 52% of tech decision-makers are conducting regular AI risk assessments and audits.

Questions worth separating out

Q: How should security teams govern agentic AI before it reaches production scale?

A: Start by assigning each agent a clear owner, a defined purpose, and a review cadence.

Q: Why do static credentials create more risk for agentic AI systems?

A: Static credentials extend the life of access beyond the moment it is needed, which increases the blast radius if the agent misbehaves or the credential is exposed.

Q: What do organisations get wrong about AI governance policies?

A: They often treat AI governance as a model-risk or data-governance exercise and leave identity controls underneath it.

Practitioner guidance

• Classify agentic systems as governed identities Inventory every AI system that can decide, select tools, or execute actions without human approval, and assign an owner, purpose, and review cadence to each one.
• Replace standing access with task-scoped controls Limit agent permissions to the smallest viable set for the shortest viable duration, and avoid reusing the same token or credential across unrelated workflows.
• Tie governance to audit evidence Require logs that show what the agent accessed, what action it took, and who approved its operating boundary before the next review cycle.

What's in the full report

Collibra's full report covers the operational survey detail this post intentionally leaves for the source:

• Breakouts by implementation stage, including how many organisations are only in planning versus already building agentic AI internally.
• Survey methodology and sample details from the Harris Poll, useful if you need to assess the strength of the findings.
• Additional governance, bias, and transparency findings that help benchmark your own AI programme maturity.
• The full set of decision-maker confidence scores for ROI, innovation, and governance across agentic AI initiatives.

👉 Read Collibra's survey on agentic AI governance, adoption, and policy gaps →

Agentic AI governance policies: what decision-makers are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →