Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent governance gaps: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Only 21% of North American security leaders have full visibility into AI tools, 54% say enforcement is weak, and 56% estimate 26% to 50% of AI tools and agents are unmanaged, according to a 1Password survey of 200 North American security leaders. The deeper problem is that traditional IAM assumes access can be provisioned, reviewed, and revoked inside stable workflows, while AI use is expanding outside those assumptions.

NHIMG editorial — based on content published by 1Password: AI governance gaps in the AI-augmented workforce

By the numbers:

Questions worth separating out

Q: What breaks when AI tools are used without identity governance?

A: When AI tools bypass identity governance, organisations lose visibility, ownership, and revocation discipline.

Q: Why do AI agents complicate IAM and IGA programmes?

A: AI agents complicate IAM and IGA because they can be provisioned informally, reused across workflows, and left outside recertification cycles.

Q: How do teams know whether AI governance is actually working?

A: Teams should look for three signals: they can discover AI tools in use, they can enforce policy consistently, and they can prove who approved access and data sharing.

Practitioner guidance

  • Inventory AI tools and agent access paths Map sanctioned and unsanctioned AI usage across endpoints, SaaS, browser extensions, and embedded application features.
  • Tie AI governance to access review workflows Add AI tools and agents to recertification, ownership, and revocation workflows so each access path has a responsible approver and a defined retirement trigger.
  • Enforce data-handling rules at the point of use Use policy controls, DLP, and SaaS governance to prevent sensitive data from being pasted or synced into external AI services without approval.

What's in the full article

1Password's full research covers the operational detail this post intentionally leaves for the source:

  • The survey methodology behind the 200 North American security leader responses and how the questions were framed.
  • The four challenge areas in the original order, including the practical examples 1Password uses to describe AI usage.
  • The specific governance actions the source recommends for monitoring, blocking, and managing AI tool access.
  • The article's broader discussion of how security leaders are weighing productivity gains against access risk.

👉 Read 1Password's survey findings on AI governance gaps and unmanaged AI →

AI agent governance gaps: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

AI governance is becoming an access-governance problem before it becomes a model-risk problem. The article shows security leaders struggling first with visibility, enforcement, and uncontrolled access paths, not with algorithmic behaviour. That matters because the primary failure mode is not the AI output itself but the identity path that lets the tool reach data and systems without governance. Practitioners should treat AI adoption as an access expansion event.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Another finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should own risk when employees give AI tools access to sensitive data?

A: Accountability should sit with the business owner of the use case, the identity team managing access, and the security function defining policy enforcement. If no named owner can approve, monitor, and revoke AI access, the organisation has created an unmanaged identity path. Governance fails when ownership is diffuse.

👉 Read our full editorial: AI agent governance is outpacing enterprise IAM controls



   
ReplyQuote
Share: