Notifications
Clear all
Topic starter
22/06/2026 10:11 am
TL;DR: AI agents act autonomously, invoke tools, and create real-world consequences at machine speed, while existing IAM and audit practices were built for people and static applications, according to HYPR. The broken assumption is that access can be governed after the fact, because agent behaviour can change within a session and outpace human review.
NHIMG editorial — based on content published by HYPR: You May Be Able To See Your AI Agents. Can You Stop Them?
Questions worth separating out
Q: How should security teams govern AI agents that can act independently?
A: Start with a verifiable agent identity, a named human owner, and a tightly scoped delegation model.
Q: Why do existing IAM controls fall short for AI agents?
A: Existing IAM models were built for human users and static applications that operate within predictable session boundaries.
Q: What breaks when an organisation relies on observability alone for AI agent risk?
A: A dashboard can tell you what an agent did, but it cannot stop the action before it happens.
Practitioner guidance
- Bind every agent to a named owner and a time-bounded scope Require a verifiable agent identity, a human owner, and an explicit expiry before production access is granted.
- Move from observability to runtime enforcement Use logs for detection, but enforce high-risk decisions inline before execution.
- Separate enterprise guardrails from team-level tuning Set organisation-wide thresholds for prohibited actions, mandatory approval points, and audit logging, then let agent owners configure only narrower controls within those limits.
What's in the full article
HYPR's full blog post covers the operational detail this post intentionally leaves for the source:
- The four-peak maturity model for moving from observability to assurance in agent governance
- Examples of organization-wide controls versus per-agent controls, including approval thresholds and scope limits
- The article's concrete endpoint enforcement view for stopping agents before requests leave the machine
- The full FAQ set on agent identity, shadow AI, and runtime supervision
👉 Read HYPR's analysis of AI agent governance and runtime control →
AI agent governance: are your controls keeping up?
Explore further
22/06/2026 10:59 am
Governance without identity is structurally unenforceable. The article shows why policies for agents cannot hold if the actor cannot be verified at runtime. That is not a tooling gap, it is a governance gap: a rule about what an agent may do becomes unenforceable if the organisation cannot tie the action back to a named identity and delegation chain. Practitioner conclusion: agent governance has to begin with identity, not policy text.
A few things that frame the scale:
- From our research: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity programmes still operate with incomplete machine identity coverage.
A question worth separating out:
Q: Who should be accountable when an AI agent causes a high-risk action?
A: Accountability should sit with the named human owner of the agent, backed by organisational guardrails that cannot be overridden locally. If the action is high risk, the approval path should be explicit and cryptographically meaningful. Without that chain, responsibility becomes diffuse and governance weakens quickly.
👉 Read our full editorial: AI agent governance needs identity, policy, and runtime control
