Notifications
Clear all
Topic starter
27/06/2026 12:59 pm
TL;DR: AI agent governance dominated EIC 2026 because practitioners are facing pilots faster than controls, with Nexis arguing that classical IAM cannot handle agents that have no hire date, manager, or offboarding trigger. The real issue is assumption collapse: identity governance built for stable human lifecycles does not survive dynamic, task-driven agent behaviour.
NHIMG editorial — based on content published by Nexis: Conference takeaways on AI agent governance from EIC 2026
By the numbers:
- By mid-2026, non-human identities outnumber human identities by 50 to 140 times in large enterprises.
Questions worth separating out
Q: How should IAM teams govern AI agents without trying to review every instance individually?
A: They should govern AI agents through policy clusters, named ownership, and approved capability boundaries rather than by treating each agent as a separate certification item.
Q: Why do AI agents create problems for joiner-mover-leaver processes?
A: AI agents do not fit the human JML model because they do not join, move, or leave in the same way people do.
Q: What breaks when segregation of duties is only enforced for human identities?
A: The control breaks at the policy layer because agent activity can repeat the same sensitive workflow pattern at machine speed and scale.
Practitioner guidance
- Assign ownership by agent cluster Group AI agents by business function and assign a named human owner for each cluster.
- Extend SoD policy to non-human actors Review your existing SoD matrix and explicitly add agent scenarios where the same person, workflow, or system can both request and approve sensitive actions.
- Recertify governance rules, not each agent Shift access review from individual agent inventories to the policy framework that authorises them.
What's in the full article
Nexis' full blog post covers the operational detail this post intentionally leaves for the source:
- The full intent hierarchy model and how it maps organisational, role-based, developer, and user intent for agents.
- The conference examples from Erste Group, BMW Group, and Munich Re, including how each organisation structured governance.
- The practical sequence for ownership assignment, SoD scoping, and policy recertification across non-human identities.
- The discussion of IVIP-style visibility layers and why unified identity inventory matters for production rollout.
👉 Read Nexis' takeaways on AI agent governance from EIC 2026 →
AI agent governance: what IAM teams need before scale hits?
Explore further
27/06/2026 2:07 pm
AI agent governance exposes a lifecycle assumption that human IAM never had to confront. Classical joiner-mover-leaver design assumes a stable subject with a hire date, manager, and offboarding event. That assumption fails when the identity is an AI agent that can be created for a task, reused, and left active without a human transition point. The implication is not merely operational complexity, but a governance model that no longer matches the subject being governed.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- That confidence gap sits alongside another warning sign: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the same report.
A question worth separating out:
Q: Who should be accountable when an external AI agent acts on enterprise data?
A: Accountability should sit with the human owner of the agent cluster and the business function that authorised its use. External agents should be handled as third-party identity risk, with the same expectations for documented scope, access review, and revocation that apply to other outsourced access relationships.
👉 Read our full editorial: AI agent governance needs identity foundations before production scale
