Notifications
Clear all
Topic starter
22/06/2026 10:06 am
TL;DR: As AI agents gain the ability to interact with applications, access enterprise data, and execute workflows, the gap between governance and security becomes visible, according to Zenity. Policies can approve use, but they cannot explain behaviour, detect drift, or stop risky actions in real time.
NHIMG editorial — based on content published by Zenity: Governance and Security Are Different Problems, Agentic AI Is Exposing the Gap Between Them
Questions worth separating out
Q: How should security teams govern agentic AI without confusing governance with security?
A: Security teams should keep governance and runtime control separate.
Q: Why do AI agents create problems for traditional identity and access management?
A: AI agents create problems because traditional IAM assumes a relatively stable actor that receives access and then uses it within predictable boundaries.
Q: What breaks when organisations rely on AI governance alone?
A: What breaks is the assumption that policy approval proves safe operation.
Practitioner guidance
- Define runtime behavioural boundaries Specify which actions an agent may initiate, which systems it may touch, and which sequences must be blocked even if access is otherwise approved.
- Separate approval from enforcement Keep governance approval, ownership, and acceptable-use policy in one track, but add separate enforcement controls that can observe and stop risky agent activity while a session is active.
- Instrument agent activity for investigation Log the systems, data, and workflow steps an agent touches so security teams can investigate changes in behaviour instead of relying on static approvals as evidence of safety.
What's in the full article
Zenity's full post covers the operational detail this post intentionally leaves for the source:
- How Zenity distinguishes governance questions from security questions in agentic AI environments
- The article's side-by-side comparison of approved AI systems versus observed agent behaviour
- The vendor's framing of why runtime visibility matters once agents interact with multiple enterprise systems
- The closing commentary on how organisations should think about governance and security together
👉 Read Zenity's analysis of why agentic AI security and governance are diverging →
Agentic AI security and governance: what gap are teams missing?
Explore further
22/06/2026 10:51 am
Governance and security are different identity problems once an AI system can act. Governance answers who approved the agent, what policy applies, and who owns accountability. Security answers what the agent is doing at runtime, what it is reaching, and whether its behaviour is drifting beyond intent. That distinction becomes decisive when an AI system can execute workflows rather than merely generate outputs. Practitioners should treat approval as a starting condition, not evidence of safe behaviour.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: How do teams measure whether agentic AI controls are actually working?
A: Teams should measure whether they can see agent actions, detect behaviour changes, and stop unsafe workflows before they complete. If the programme only reports approved systems and documented policies, it is measuring governance maturity, not security effectiveness. Effective control produces runtime evidence, not just policy compliance.
👉 Read our full editorial: Agentic AI security exposes the gap between governance and control
