Notifications
Clear all
Topic starter
09/06/2026 11:12 pm
TL;DR: Enterprise AI agent creation is spreading beyond R&D into business teams, expanding exposure to sensitive data, uncontrolled access, and unauthorized actions as agents connect to internal systems, according to Lasso Security. Build-time discovery and dependency mapping matter because security cannot rely on post-deployment review when agent trust, access, and delegation are established before production.
NHIMG editorial — based on content published by Lasso Security: Build Secure-By-Design Agents with Lasso
Questions worth separating out
Q: How should security teams govern AI agents that connect to internal systems?
A: Security teams should treat AI agents as governed identities, not just applications.
Q: Why do AI agents create more governance risk than ordinary automation?
A: AI agents create more governance risk because they can combine tools and internal resources into a live workflow that changes as the task evolves.
Q: What breaks when AI agent discovery is delayed until after deployment?
A: When discovery is delayed, security teams lose the chance to catch ownership gaps, hidden dependencies, and over-broad access before the agent starts operating.
Practitioner guidance
- Create a complete AI agent inventory Track every agent, its owner, creator, creation time, usage, and connected components so security has a current map of the estate rather than scattered project lists.
- Map delegation boundaries for each agent Record which LLMs, APIs, databases, sub-agents, MCPs, and applications each agent can reach, then verify where authorisation boundaries are missing or inherited too broadly.
- Route findings into the build workflow Push scan results to the development team responsible for the agent before promotion so remediation happens while the architecture is still changing.
What's in the full article
Lasso Security's full post covers the operational detail this post intentionally leaves for the source:
- How the AI Security Platform models agent discovery across internal resources and connected components.
- The static scanning approach used to identify sub-agents, APIs, databases, LLMs, and MCP-linked dependencies.
- How findings are routed back to the development team responsible for the agent before production.
- The article's stated MTTR improvement claim and how the vendor frames build-stage remediation.
👉 Read Lasso Security's analysis of secure-by-design AI agents and AI-SPM →
AI agent discovery and build-time posture management: are controls keeping up?
Explore further
10/06/2026 1:27 am
AI agent posture management is becoming an identity governance problem, not just an application security problem. The article shows agents being created across business functions and connected to internal resources long before security teams would traditionally review them. That means the governance question is no longer only whether the agent is secure, but whether the organisation can identify, own, and scope its non-human identities at creation time. Practitioners should treat agent discovery as a lifecycle control, not an after-the-fact scan.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- That includes 38% with no or low visibility and 47% with only partial visibility, which shows how quickly delegated access can outpace governance even before AI agents are added.
A question worth separating out:
Q: How should organisations prioritise fixes for AI agent security findings?
A: Organisations should prioritise the agents with the widest connected footprint, the highest business criticality, and the most unclear ownership. That approach focuses remediation where the delegation chain creates the greatest operational exposure, instead of treating every finding as equal.
👉 Read our full editorial: Secure-by-design AI agents need posture management from build time
