Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent customisation: why plug-and-play governance breaks down


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Off-the-shelf AI agents fail because business workflows, data, and approval patterns vary by organisation, so generic automation quickly collides with exception handling, grounding gaps, and misaligned expectations, according to Opnova. The governance lesson is that agentic AI must be treated as a bespoke identity and workflow integration problem, not a digital employee shortcut.

NHIMG editorial — based on content published by Opnova: The Fallacy of the Off-the-Shelf AI Agent: Why Your Next Digital Employee Needs More Than a Name

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern AI agents that need organisation-specific workflows?

A: Security teams should govern AI agents as workflow-bound machine identities, not reusable digital employees.

Q: Why do generic AI agents create more governance risk in some processes than others?

A: Generic AI agents create more governance risk when a process contains many exceptions, local rules, or hidden approval steps.

Q: What do teams get wrong about off-the-shelf AI agents?

A: Teams often assume that a capable model can be reused safely across different businesses with minimal adjustment.

Practitioner guidance

  • Map workflow variance before deployment Document approval thresholds, exception cases, and system-specific branches for each process the agent will touch.
  • Ground agent access in explicit business context Limit the agent to the exact data sources, policies, and terminology it needs for one business function.
  • Treat naming and persona design as governance inputs Avoid human-like naming that encourages teams to grant vague authority or assume human judgment.

What's in the full article

Opnova's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step explanation of the modelling, grounding, and fine-tuning cycle for AI agents in enterprise workflows
  • Concrete examples of workflow exceptions that make generic agents fail in finance, support, and operations
  • How the article frames customisation as a prerequisite for business integration rather than a nice-to-have
  • The vendor's own language on how its approach fits disconnected applications and identity governance

👉 Read Opnova's analysis of why off-the-shelf AI agents fail in enterprise workflows →

AI agent customisation: why plug-and-play governance breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Off-the-shelf AI agents create identity debt when organisations confuse portability with governability. The article shows that identical labels do not mean identical operating conditions, because each business process carries its own rules, exceptions, and data dependencies. That is a classic governance trap for autonomous or semi-autonomous systems: the purchase decision assumes transferability, but control design still has to be rebuilt around the actual workflow. Practitioners should read this as a warning that deployment speed can hide a much larger integration burden.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Should organisations treat AI agents like human employees in identity governance?

A: No. Human employees bring stable lifecycle assumptions, but AI agents can change behaviour based on runtime context and tool access. Treat them as non-human identities with explicitly bounded authority, separate policy language, and continuous review of the systems and data they can reach. Human onboarding metaphors obscure the control problem and lead to over-trust.

👉 Read our full editorial: Off-the-shelf AI agents fail because workflows are unique



   
ReplyQuote
Share: