Notifications
Clear all
Topic starter
07/06/2026 8:52 pm
TL;DR: As AI agents move deeper into enterprise workflows, the control problem shifts from periodic privacy review to real-time identity, authorization, and data-flow governance, according to WorkOS and Relyance AI's comparison article. Monitoring what agents touched is not the same as governing what they are allowed to do, and that gap is now operationally material.
NHIMG editorial — based on content published by WorkOS: Relyance AI for AI Agent Security, features, pricing, and alternatives
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams govern AI agents that access enterprise data?
A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped authorization, and a revocation path.
Q: Why do AI agents create different IAM risks than normal applications?
A: AI agents can select actions dynamically, touch multiple systems in one workflow, and use data in ways that are harder to predict than fixed applications.
Q: What breaks when shadow AI is not brought under identity governance?
A: What breaks is accountability.
Practitioner guidance
- Separate visibility from authorization Map which controls only observe agent behaviour and which controls actually constrain access.
- Inventory every production AI agent as a governed identity Require an owner, business purpose, access scope, and offboarding path before an agent can touch production systems.
- Bind agent access to enterprise identity systems Use federation, scoped authorization, and audit logging so the agent authenticates through controlled identity infrastructure instead of ad hoc credentials.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The platform-by-platform comparison between Relyance AI's privacy monitoring stack and WorkOS's authentication infrastructure.
- Pricing structure details, including the enterprise packaging and trial model described in the source article.
- Implementation specifics for SSO, directory sync, fine-grained authorization, and audit logging in production AI applications.
- The article's product-fit guidance for teams deciding whether they need monitoring, identity infrastructure, or both.
👉 Read WorkOS's comparison of Relyance AI and enterprise AI agent authentication →
AI agent governance: are monitoring tools enough for enterprise access?
Explore further
08/06/2026 8:36 am
Monitoring is not governance when the actor can already act. Real-time data mapping can reveal where an AI agent touched sensitive information, but it does not answer whether the agent should have had access in the first place. That leaves the programme with evidence after use, not control before action. Practitioners should treat visibility as an input to governance, not the governance layer itself.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who is accountable when an AI agent accesses data outside policy?
A: Accountability should sit with the business owner of the agent, the team that approved its access, and the security function that governs its identity. If those roles are unclear, the organisation has a governance gap rather than a tooling problem.
👉 Read our full editorial: AI agent governance is shifting from monitoring to identity control
