AI agent governance: are your controls keeping up with visibility gaps?

TL;DR: AI agents are already operating in enterprise environments with excessive access, static API keys, and weak oversight, according to Defakto Security. Waiting for perfect discovery before governing them only extends exposure and leaves legacy controls blind to runtime behaviour.

NHIMG editorial — based on content published by Defakto Security: AI Your AI Agents Aren’t Hidden. They’re Ungoverned. It’s time to Act

Questions worth separating out

Q: How should security teams govern AI agents that already have production access?

A: Start with the agents already in production, then rank them by data sensitivity, privilege breadth, and secret reuse.

Q: Why do AI agents create more governance risk than traditional automation?

A: AI agents can choose actions at runtime, which means their access needs, tool use, and data paths can change during execution.

Q: What do security teams get wrong about AI agent discovery?

A: They treat discovery as a prerequisite for action instead of a starting point for control.

Practitioner guidance

• Prioritise the agents you already know about Rank known AI agents by data access, production reach, and key reuse.
• Replace static API keys with workload identities Move high-risk agent interactions away from copied secrets and toward identities that can be authenticated and authorised at runtime.
• Bind policy to the agent execution path Set access rules around the actual tools, endpoints, and data stores the agent uses, not just the application it belongs to.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

• How Defakto proposes replacing static API keys with dynamic, verifiable identities for AI agents
• The practical sequence for identifying high-risk agents in SaaS, CI/CD, and code repositories
• The vendor's description of identity-based access control and real-time audit trails for agent activity
• Implementation details for distributed access control policies across legacy environments

👉 Read Defakto Security's analysis of AI agent discovery and governance →

AI agent governance: are your controls keeping up with visibility gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →