Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic identity governance: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: As AI agents move from recommendations to action, identity governance has to account for software that can plan, call tools, and complete workflows end to end, according to Lumos. The old model of manual access review cannot keep pace with autonomous decision loops, especially when human, machine, and agent identities now overlap.

NHIMG editorial — based on content published by Lumos: Executive Viewpoint, When Software Grows Hands

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can act on their own?

A: Treat AI agents as a separate identity class with bounded tool access, explicit purpose scoping, and auditable execution.

Q: Why do access reviews struggle with agentic identity?

A: Access reviews assume privilege persists long enough to be observed and certified.

Q: What breaks when RBAC is used for AI agents without extra controls?

A: RBAC breaks when it is asked to describe highly variable tool use with static roles.

Practitioner guidance

  • Define an agent identity classification policy Create a policy that separates human users, service accounts, and AI agents in your IAM and IGA models so reviews, approvals, and monitoring match the actor type.
  • Map runtime permissions to specific tool and data scopes Inventory every tool, API, and dataset an agent can reach, then tie each one to a bounded purpose, approval rule, and logging requirement.
  • Rework access reviews for short-lived execution Test whether your certification process can still detect risk when access is acquired and consumed within one session, then adjust evidence collection accordingly.

What's in the full article

Lumos's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor frames Albus as an identity agent and where it fits in the access workflow
  • The product narrative around autonomous software, including the examples used to explain agentic decision-making
  • Lumos's view of how RBAC, lifecycle management, and access governance should evolve in an AI-native identity model
  • The customer examples and implementation anecdotes the vendor uses to illustrate workflow scale and role design

👉 Read Lumos's view of agentic identity governance and access control →

Agentic identity governance: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Agentic identity governance is becoming a distinct discipline, not a rebrand of IAM. Traditional IAM assumes the subject is either a person or a non-autonomous service principal with a relatively stable access pattern. AI agents break that assumption because the actor can evaluate context and complete actions at runtime, which moves the control problem from static entitlement assignment to governed execution. Practitioners should stop treating agents as simply another workload and start treating them as a separate governance class.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, leaving a large portion of delegated access outside direct oversight.

A question worth separating out:

Q: Who is accountable when an AI agent takes a risky action?

A: Accountability should sit with the team that defined the agent's policy, scope, and approval boundaries, not with the agent itself. If the agent can execute without a human gate, then the organisation must be able to show who authorised the capability, what constraints were set, and how the outcome was recorded.

👉 Read our full editorial: Agentic identity governance is reshaping enterprise access control



   
ReplyQuote
Share: