Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent governance in 2026: what is your team doing now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Enterprise AI security is shifting from adoption and access to authority, with Gartner projecting that roughly 40% of enterprise applications will embed task-specific AI agents by the end of 2026, according to Lasso Security’s 2026 predictions. The control gap is no longer just permissions, but purpose, boundaries, and runtime oversight across agentic workflows.

NHIMG editorial — based on content published by Lasso Security: Enterprise AI Security Predictions 2026: Intent & Control

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can take actions on behalf of users?

A: Security teams should govern AI agents through explicit intent boundaries, tool boundaries, and decision boundaries, not just access permissions.

Q: Why do agentic browsers complicate identity and session controls?

A: Agentic browsers complicate identity and session controls because they turn a browser session into a delegated execution environment rather than a stable human interaction.

Q: How do organisations know if an AI system has drifted beyond its mandate?

A: Organisations know an AI system has drifted when its behaviour remains technically permitted but no longer matches the intended purpose, scope, or business outcome.

Practitioner guidance

  • Define intent boundaries for every agent deployment Document the allowed purpose, data scope, tool scope, and decision scope before production rollout.
  • Treat browser agents as delegated execution contexts Reassess session binding, step-up checks, and authenticated workflow assumptions when an agent can act inside the same browser session as a person.
  • Put AI gateways under control-plane governance Apply segmentation, versioned policy rollout, rollback planning, and monitoring to the gateway layer, because it is now the choke point for model access, agent permissions, and action enforcement.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Gartner-linked market sizing and the forecast for embedded task-specific AI agents by 2026.
  • Detailed examples of how browser-resident agents can bypass long-standing session assumptions.
  • The control-plane role of AI gateways across routing, policy, identity mapping, and secrets handling.
  • Policy and compliance implications of AI-mediated action under evolving regulatory regimes.

👉 Read Lasso Security's enterprise AI security predictions for 2026 →

AI agent governance in 2026: what is your team doing now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Agentic behaviour exposes an intent gap, not just an access gap. Traditional IAM and NHI controls are built to decide who can access what. This article shows that AI agents create a second question: what is the system trying to accomplish, and how far may it go while doing it? That is a governance problem because a system can remain within access rules while still violating business intent. Practitioners should treat intent boundaries as a first-class control plane.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • That confidence gap shows why AI governance cannot rely on human-era control assumptions when delegated machine behaviour is expanding across enterprise workflows.

A question worth separating out:

Q: Who is accountable when AI-mediated actions create compliance or operational risk?

A: Accountability remains with the deploying organisation, even when an AI model or agent is externally provided. Teams need logs, approvals, and governance records that show what acted, under what authority, and within which mandate. Without that evidence, compliance obligations become difficult to defend.

👉 Read our full editorial: Enterprise AI security in 2026 is becoming an intent problem



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Agentic behaviour exposes an intent gap, not just an access gap. Traditional IAM and NHI controls are built to decide who can access what. This article shows that AI agents create a second question: what is the system trying to accomplish, and how far may it go while doing it? That is a governance problem because a system can remain within access rules while still violating business intent. Practitioners should treat intent boundaries as a first-class control plane.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • That confidence gap shows why AI governance cannot rely on human-era control assumptions when delegated machine behaviour is expanding across enterprise workflows.

A question worth separating out:

Q: Who is accountable when AI-mediated actions create compliance or operational risk?

A: Accountability remains with the deploying organisation, even when an AI model or agent is externally provided. Teams need logs, approvals, and governance records that show what acted, under what authority, and within which mandate. Without that evidence, compliance obligations become difficult to defend.

👉 Read our full editorial: Enterprise AI security in 2026 is becoming an intent problem



   
ReplyQuote
Share: