Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic security posture management: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: AI agents are already being adopted by 79% of organisations, while 96% of technology professionals see them as a growing risk and 98% plan to expand use within 12 months, according to CYATA’s analysis. The security issue is not model safety alone, but the absence of identity, runtime governance, and tool-chain control for actors that decide and act autonomously.

NHIMG editorial — based on content published by CYATA: Agents Are Acting. Security Isn’t Watching

By the numbers:

Questions worth separating out

Q: What breaks when AI agents are governed like normal applications?

A: Normal application governance assumes the system follows a predictable path and that access can be described ahead of time.

Q: Why do AI agents complicate IAM and access governance?

A: AI agents complicate IAM because static roles and one-time provisioning do not describe dynamic runtime behaviour.

Q: How do security teams know whether agent governance is working?

A: They should look for durable identity records, approved capability scopes, complete tool-chain logs, and execution-time policy decisions.

Practitioner guidance

  • Inventory every agent instance and its originating context Track where each agent was spawned, which user, service, or system initiated it, and what systems it can reach.
  • Separate model safety from runtime authorisation Keep prompt-injection and training-data controls, but add execution-time checks that can allow, challenge, or block agent actions before the tool call completes.
  • Define agent capability boundaries in identity terms Document provenance, approved tools, data classes, and maximum action scope for each agent.

What's in the full article

CYATA's full analysis covers the operational detail this post intentionally leaves for the source:

  • The article’s product framing for discovering and attributing shadow agents across an environment.
  • The vendor’s description of runtime policy enforcement for allow, challenge, and block decisions.
  • The compliance-oriented explanation of decision trails, audit evidence, and reporting expectations.
  • The business-case language aimed at CISOs, identity leaders, and AI teams evaluating agent governance.

👉 Read CYATA’s analysis of agentic security posture management for autonomous AI →

Agentic security posture management: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Agentic security posture management is becoming necessary because existing posture disciplines stop at the model boundary. CSPM, DSPM, and AISPM each solved a different part of the enterprise risk stack, but none of them were built to govern an actor that independently selects actions and tools at runtime. That is the structural gap this category is trying to close. For practitioners, the lesson is that model safety and agent safety are not the same control problem.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when an AI agent takes an unauthorised action?

A: Accountability sits with the organisation that delegated the access and failed to constrain it, not with the model as a standalone artefact. The practical test is whether the business can explain the actor’s provenance, permissions, and decision trail well enough to revoke access, investigate impact, and support audit evidence.

👉 Read our full editorial: Why agentic security posture management is emerging now



   
ReplyQuote
Share: