Notifications
Clear all
Topic starter
07/06/2026 8:52 pm
TL;DR: As organizations deploy AI agents, the core security choice is whether to start with data loss prevention or access control, according to WorkOS. Data protection can detect exfiltration, but secure agentic systems still depend on authentication, authorization, and auditable identity boundaries before data ever moves.
NHIMG editorial — based on content published by WorkOS: Nightfall AI vs WorkOS, comparing data protection and access control for agentic security
By the numbers:
- Nightfall claims 95% detection precision and a 90% reduction in false positives compared with traditional DLP solutions.
- Nightfall says its autonomous remediation handles 80% of security incidents without human intervention.
Questions worth separating out
Q: How should security teams govern AI agents that access internal systems?
A: Start with authentication, authorization, tenant isolation, and audit logging before adding data loss prevention.
Q: Why do AI agents make traditional DLP less effective as a primary control?
A: Traditional DLP is reactive because it monitors data after an access decision has already happened.
Q: What breaks when agent permissions are too broad?
A: Broad permissions let an AI agent move from legitimate authentication to unintended data reach, especially in multi-tenant or delegated environments.
Practitioner guidance
- Define the identity boundary before the DLP layer Map which human users, service accounts, and AI agents can authenticate to each internal system, then enforce resource-level permissions before monitoring outbound prompts or files.
- Scope AI agents to tenant-specific permissions Assign each agent to a single organizational context and verify that its access tokens, session context, and downstream permissions cannot cross tenant boundaries.
- Require auditable delegated identity for every agent action Log which user or service identity the agent acted for, what resource it touched, and which policy allowed the action.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Implementation guidance for enterprise SSO, MFA, and directory sync in application architectures.
- Fine-grained authorization examples for human users and AI agents across customer records, tickets, and payment data.
- Multi-tenant access control patterns for isolating organisational boundaries in agentic workflows.
- Product-level audit and compliance detail for authentication events and delegated actions.
👉 Read WorkOS's analysis of agentic security, access control, and DLP →
Agentic security vs DLP: what IAM teams need to prioritise?
Explore further
08/06/2026 8:36 am
Access control is the real foundation of agentic security: DLP can detect sensitive data leaving an environment, but it cannot decide whether an AI agent should have reached that data at all. The governance failure is assuming that outbound monitoring can compensate for weak inbound identity control. Practitioners should treat authentication and authorization as the first security boundary for AI systems.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Should organisations prioritise access control or DLP for agentic systems?
A: Prioritise access control first because it determines what an AI agent can reach, change, or disclose. DLP still matters, but it works best as a later detection layer that reduces exposure from misuse and leakage. Without identity and authorization controls, the organisation is monitoring the wrong part of the chain.
👉 Read our full editorial: Agentic security starts with access control, not data loss prevention
