Notifications
Clear all
Topic starter
07/06/2026 8:09 pm
TL;DR: AI agents are shifting knowledge work from human execution to machine-paced delegation, and ConductorOne argues that identity now has to operate as core infrastructure with controlled inputs, observable outputs, and accountable actions. Access review models built for stable human access windows no longer match continuously acting agents.
NHIMG editorial — based on content published by ConductorOne: Defining the Agentic Enterprise
Questions worth separating out
Q: How should security teams govern AI agents that act on behalf of employees?
A: Security teams should give each AI agent a distinct identity, narrowly scoped permissions, and a complete audit trail.
Q: Why do traditional access reviews struggle with agentic systems?
A: Traditional access reviews assume access persists long enough to be observed, certified, and removed on a schedule.
Q: What should organisations measure to know if agent governance is working?
A: They should measure whether every agent action is attributable, whether permissions stay task-scoped, and whether approvals still block sensitive actions.
Practitioner guidance
- Define distinct identities for each agent Assign separate identities, scoped entitlements, and audit trails to each AI agent rather than sharing credentials across workflows or teams.
- Constrain agent inputs and tool access Limit the data, systems, and tools each agent can reach to the smallest set needed for the task.
- Make every agent action observable Capture tool calls, approvals, outputs, and exceptions in logs that investigators and approvers can actually reconstruct.
What's in the full article
ConductorOne's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's full framing of how human managers should supervise fleets of agents across engineering, security, finance, support, and operations.
- The specific examples behind the three governance requirements of controlled inputs, observable outputs, and constrained accountable actions.
- The source author's explanation of why identity becomes the control plane in an agentic enterprise.
- The closing view on how enterprises can scale work without linear headcount growth when governance is built in.
👉 Read ConductorOne's post on defining the agentic enterprise →
Agentic enterprise identity: are your controls keeping up?
Explore further
07/06/2026 9:56 pm
Identity is becoming the control plane because human-centred governance no longer matches agentic execution. The article is right to frame this as a shift in operating model, not just a technology trend. When agents become the primary execution layer, identity has to govern initiation, delegation, and traceability at machine speed. The practitioner conclusion is that identity architecture now sits at the centre of AI operating risk.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how limited identity observability remains in practice.
A question worth separating out:
Q: Should organisations treat AI agents like human users in IAM?
A: No. Human IAM assumes a person logs in, works within a session, and can be reviewed later as a stable identity holder. Agents can act at machine speed, across multiple systems, and with changing runtime context, so they need identity governance built around execution and delegation rather than human authentication patterns.
👉 Read our full editorial: Agentic enterprise identity is becoming the control plane
