AI agent governance gaps: are your controls keeping up?

TL;DR: Only 21% of North American security leaders have full visibility into AI tools, 54% say enforcement is weak, and 56% estimate 26% to 50% of AI tools and agents are unmanaged, according to a 1Password survey of 200 North American security leaders. The deeper problem is that traditional IAM assumes access can be provisioned, reviewed, and revoked inside stable workflows, while AI use is expanding outside those assumptions.

NHIMG editorial — based on content published by 1Password: AI governance gaps in the AI-augmented workforce

By the numbers:

• Only 21% of security leaders say they have full visibility into AI tools used in their organization.
• 54% of security leaders say their AI governance enforcement is weak.

Questions worth separating out

Q: What breaks when AI tools are used without identity governance?

A: When AI tools bypass identity governance, organisations lose visibility, ownership, and revocation discipline.

Q: Why do AI agents complicate IAM and IGA programmes?

A: AI agents complicate IAM and IGA because they can be provisioned informally, reused across workflows, and left outside recertification cycles.

Q: How do teams know whether AI governance is actually working?

A: Teams should look for three signals: they can discover AI tools in use, they can enforce policy consistently, and they can prove who approved access and data sharing.

Practitioner guidance

• Inventory AI tools and agent access paths Map sanctioned and unsanctioned AI usage across endpoints, SaaS, browser extensions, and embedded application features.
• Tie AI governance to access review workflows Add AI tools and agents to recertification, ownership, and revocation workflows so each access path has a responsible approver and a defined retirement trigger.
• Enforce data-handling rules at the point of use Use policy controls, DLP, and SaaS governance to prevent sensitive data from being pasted or synced into external AI services without approval.

What's in the full article

1Password's full research covers the operational detail this post intentionally leaves for the source:

• The survey methodology behind the 200 North American security leader responses and how the questions were framed.
• The four challenge areas in the original order, including the practical examples 1Password uses to describe AI usage.
• The specific governance actions the source recommends for monitoring, blocking, and managing AI tool access.
• The article's broader discussion of how security leaders are weighing productivity gains against access risk.

👉 Read 1Password's survey findings on AI governance gaps and unmanaged AI →

AI agent governance gaps: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →