Notifications
Clear all
Topic starter
04/06/2026 2:58 pm
TL;DR: AI adoption typically moves from scattered experimentation to piloting, embedding, and then transformation, with the governance gap widening at each stage as AI tools and agents become actors in enterprise workflows, according to ConductorOne. The critical shift is that identity, access, and audit controls must scale with AI behaviour, not after it is already in production.
NHIMG editorial — based on content published by ConductorOne: The Four Stages of AI Adoption, and What Separates the Companies That Get It Right
By the numbers:
- AI systems with least-privileged access had a 17% incident rate vs 76% for over-privileged systems.
- Only 44% of organisations have implemented any policies to manage their AI agents.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern shadow AI in the enterprise?
A: Start with discovery, not enforcement.
Q: Why do AI agents change identity governance requirements?
A: AI agents change the model because they can authenticate, call tools, and execute actions on behalf of people or teams.
Q: What breaks when AI adoption outpaces governance?
A: What breaks first is attribution.
Practitioner guidance
- Inventory shadow AI usage Discover unsanctioned AI tools, browser extensions, copilots, and connected services so you can map where corporate data already flows outside approved channels.
- Bind approved AI agents to governed identities Assign each sanctioned agent a distinct identity, explicit permissions, and an auditable owner so delegated actions can be traced back to a business context.
- Enforce runtime policy on AI tool calls Require policy evaluation at the point of API call or workflow execution, not just at onboarding, so approvals do not expire before the action occurs.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- A stage-by-stage breakdown of where AI adoption typically breaks down in real organisations
- Examples of how teams move from informal use to sanctioned pilots without losing visibility
- The vendor's framing of governance, identity, and security foundations for AI scale
- Additional context on how the four-stage model applies to enterprise operating models
👉 Read ConductorOne's analysis of the four stages of AI adoption →
AI adoption stages: what identity teams need to govern now?
Explore further
04/06/2026 3:09 pm
Shadow AI is an identity problem before it is a policy problem. The article correctly shows that the risk starts when employees connect AI tools to real work without visibility, because the enterprise then loses the ability to map who or what accessed data. That is the same structural failure that appears in unmanaged NHI sprawl, only now the tools can also initiate actions. Practitioners should treat discovery as a governance control, not a reporting exercise.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which shows how weak lifecycle controls remain when machine identities are introduced at scale.
A question worth separating out:
Q: How can organisations tell when AI governance is mature enough for scale?
A: Maturity shows up when every AI action is attributable, every agent has a named owner, and access is tied to an explicit scope that can be reviewed. If approvals still depend on manual queues or informal exception handling, the programme is not ready for broad operational scaling.
👉 Read our full editorial: The four stages of AI adoption and the governance gap
