Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent governance: are your controls keeping up with visibility gaps?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI agents are already operating in enterprise environments with excessive access, static API keys, and weak oversight, according to Defakto Security. Waiting for perfect discovery before governing them only extends exposure and leaves legacy controls blind to runtime behaviour.

NHIMG editorial — based on content published by Defakto Security: AI Your AI Agents Aren’t Hidden. They’re Ungoverned. It’s time to Act

Questions worth separating out

Q: How should security teams govern AI agents that already have production access?

A: Start with the agents already in production, then rank them by data sensitivity, privilege breadth, and secret reuse.

Q: Why do AI agents create more governance risk than traditional automation?

A: AI agents can choose actions at runtime, which means their access needs, tool use, and data paths can change during execution.

Q: What do security teams get wrong about AI agent discovery?

A: They treat discovery as a prerequisite for action instead of a starting point for control.

Practitioner guidance

  • Prioritise the agents you already know about Rank known AI agents by data access, production reach, and key reuse.
  • Replace static API keys with workload identities Move high-risk agent interactions away from copied secrets and toward identities that can be authenticated and authorised at runtime.
  • Bind policy to the agent execution path Set access rules around the actual tools, endpoints, and data stores the agent uses, not just the application it belongs to.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

  • How Defakto proposes replacing static API keys with dynamic, verifiable identities for AI agents
  • The practical sequence for identifying high-risk agents in SaaS, CI/CD, and code repositories
  • The vendor's description of identity-based access control and real-time audit trails for agent activity
  • Implementation details for distributed access control policies across legacy environments

👉 Read Defakto Security's analysis of AI agent discovery and governance →

AI agent governance: are your controls keeping up with visibility gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Perfect discovery is the wrong control objective for AI agents. Security teams do need visibility, but visibility is not the same as governance and it never has been. The article exposes a common programme failure: teams treat incomplete inventory as a reason to delay control, even though the agent population is already known enough to govern in part. The practitioner implication is to stop using discovery as the gate to action and start using it as a prioritisation input.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 44% have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.

A question worth separating out:

Q: Who is accountable when an AI agent overreaches or exposes data?

A: Accountability sits with the team that assigned the identity, approved the access, and failed to constrain runtime behaviour. For AI agents, that usually spans IAM, security engineering, platform teams, and the application owner. If the access model cannot explain who approved what, the governance model is already failing.

👉 Read our full editorial: AI agent visibility fails when governance waits for perfect discovery



   
ReplyQuote
Share: