Notifications
Clear all
Topic starter
24/06/2026 5:49 pm
TL;DR: AI agents can plan, invoke tools, chain actions across systems, and accumulate privileges faster than conventional IGA assumes, creating blind spots around ownership, auditability, and policy drift, according to Unosecur. The governance model has to move from periodic review to continuous control if identity programmes are going to keep pace with autonomous, non-human identities.
NHIMG editorial — based on content published by Unosecur: Governance Strategies for Machine & AI Identities in 2026
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI agents that can act on their own?
A: Security teams should govern autonomous agents as first-class identities with explicit ownership, bounded purpose, and continuous monitoring.
Q: Why do AI agents complicate traditional IGA and access reviews?
A: AI agents complicate IGA because their access can expand through context, chaining, and delegation faster than periodic reviews can capture.
Q: What breaks when machine identities have no clear owner?
A: When machine identities have no clear owner, offboarding, remediation, and accountability all fail together.
Practitioner guidance
- Inventory every AI agent and machine identity Build a complete register of where agents run, which APIs or systems they touch, what credentials they use, and who owns them.
- Replace periodic reviews with continuous entitlement evaluation Capture policy decisions, access justification, and action logs in near real time so that entitlement drift is visible before audit season.
- Assign named owners for every non-human identity Require both a business owner and a technical owner for service accounts, bots, workload identities, and agents.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- How to map agent, bot, service account, and workload identity ownership across environments
- Practical lifecycle steps for creation, review, and decommissioning of machine identities
- Policy-driven access enforcement patterns for runtime decision-making systems
- Continuous monitoring and auditability requirements for agent actions and identity posture
👉 Read Unosecur's governance strategies for machine and AI identities in 2026 →
AI agent governance in 2026: what IAM teams need to change?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:44 am
Static access governance was designed for identities whose purpose stays stable long enough to review. That assumption fails when the actor is autonomous because the identity can decide when to act, what tool to invoke, and how to chain those actions at runtime. The implication is not simply that controls must be stronger, but that the premise of review-based governance no longer matches the behaviour being governed.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Which frameworks should guide AI agent and machine identity governance?
A: Teams should anchor governance in Zero Trust, identity lifecycle controls, and AI risk management where autonomous behaviour is present. For AI agents, combine policy enforcement, continuous verification, and ownership tracking so that access decisions remain explainable and revocable throughout the agent lifecycle.
👉 Read our full editorial: Governance strategies for machine and AI identities in 2026
