AI agent governance is becoming an execution-path gap

TL;DR: AI agents are already acting as first-class actors inside SaaS products, and Gartner expects 25% of enterprise breaches to stem from AI agent abuse by 2028, according to Frontegg and the cited interview. Governance now has to sit in the decision loop, because policies applied after execution begins cannot reliably contain autonomous actions.

NHIMG editorial — based on content published by Frontegg: AI agent governance and guardrails in SaaS ecosystems

By the numbers:

• Gartner predicts that by 2028, 15% of day-to-day work decisions will be made autonomously via agents.
• Gartner warns that 25% of enterprise breaches will stem from AI agent abuse.

Questions worth separating out

Q: How should security teams govern AI agents that can act autonomously in SaaS systems?

A: They should treat each agent as a distinct identity with a bounded scope, runtime policy enforcement, and a revocation path.

Q: When does AI agent governance fail in practice?

A: It fails when teams assume static permissions and after-the-fact reviews are enough.

Q: What do security teams get wrong about agent identities?

A: They often treat agent identity as a technical detail instead of a governance boundary.

Practitioner guidance

• Define agents as managed identities Assign each agent a unique credential, an owning business context, and a revocation path tied to the human or organisation it represents.
• Enforce runtime policy at the API boundary Move authorisation checks into the gateway or policy enforcement layer so the agent cannot execute before context is evaluated.
• Separate low-risk and destructive actions Require human approval, step-up checks, or narrower rate limits for destructive changes, refund flows, and data export paths.

What's in the full article

Frontegg's full article covers the operational detail this post intentionally leaves for the source:

• How to map agent entitlements to SaaS plans, permissions, and relationship-based rules in production
• How to wire runtime checks into an API gateway or policy engine without breaking user workflows
• How to structure audit logs so every agent action is linked to identity, policy, and context
• How to manage drift when agent behaviour changes after model updates or prompt interpretation shifts

👉 Read Frontegg's analysis of AI agent governance and guardrails →

AI agent governance is becoming an execution-path gap?

Explore further

View Full Forum →  |  NHI Foundation Course →