AI agent governance in 2026: what is your team doing now?

TL;DR: Enterprise AI security is shifting from adoption and access to authority, with Gartner projecting that roughly 40% of enterprise applications will embed task-specific AI agents by the end of 2026, according to Lasso Security’s 2026 predictions. The control gap is no longer just permissions, but purpose, boundaries, and runtime oversight across agentic workflows.

NHIMG editorial — based on content published by Lasso Security: Enterprise AI Security Predictions 2026: Intent & Control

By the numbers:

• Gartner projects that by the end of 2026, roughly 40% of enterprise applications will embed task-specific AI agents.
• By 2027, AI agents capable of autonomous research, planning, and code generation will be adopted by malicious actors at scale.
• The EU AI Act begins general application on August 2, 2026, with staged obligations for GPAI and high-risk systems.

Questions worth separating out

Q: How should security teams govern AI agents that can take actions on behalf of users?

A: Security teams should govern AI agents through explicit intent boundaries, tool boundaries, and decision boundaries, not just access permissions.

Q: Why do agentic browsers complicate identity and session controls?

A: Agentic browsers complicate identity and session controls because they turn a browser session into a delegated execution environment rather than a stable human interaction.

Q: How do organisations know if an AI system has drifted beyond its mandate?

A: Organisations know an AI system has drifted when its behaviour remains technically permitted but no longer matches the intended purpose, scope, or business outcome.

Practitioner guidance

• Define intent boundaries for every agent deployment Document the allowed purpose, data scope, tool scope, and decision scope before production rollout.
• Treat browser agents as delegated execution contexts Reassess session binding, step-up checks, and authenticated workflow assumptions when an agent can act inside the same browser session as a person.
• Put AI gateways under control-plane governance Apply segmentation, versioned policy rollout, rollback planning, and monitoring to the gateway layer, because it is now the choke point for model access, agent permissions, and action enforcement.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Gartner-linked market sizing and the forecast for embedded task-specific AI agents by 2026.
• Detailed examples of how browser-resident agents can bypass long-standing session assumptions.
• The control-plane role of AI gateways across routing, policy, identity mapping, and secrets handling.
• Policy and compliance implications of AI-mediated action under evolving regulatory regimes.

👉 Read Lasso Security's enterprise AI security predictions for 2026 →

AI agent governance in 2026: what is your team doing now?

Explore further

View Full Forum →  |  NHI Foundation Course →