Notifications
Clear all
Topic starter
27/06/2026 1:00 pm
TL;DR: Discovery tools can list AI agents, but most organisations still cannot answer who owns them, what they may do, or when access should end, according to Nexis. That makes discovery a starting point, not governance, because access reviews and static role models break down when agent permissions and context keep changing.
NHIMG editorial — based on content published by Nexis: IAM AI Agent Governance: Why Discovery Isn’t Enough
By the numbers:
- NHIs exceed human identities in organizations today by a factor of 50 to 100.
Questions worth separating out
Q: How should security teams govern AI agents beyond discovery?
A: They should treat discovery as inventory, then add ownership, policy-based authorization, lifecycle management, and regular recertification.
Q: Why do AI agents create more IAM risk than static automation?
A: AI agents can change tasks, tools, and access patterns as their context changes, which makes static roles and fixed approvals brittle.
Q: What breaks when an AI agent outlives its human owner?
A: Accountability breaks first, followed by lifecycle control and then access governance.
Practitioner guidance
- Assign a human owner to every AI agent Create a mandatory ownership field in your IAM or GRC workflow so each agent has a named accountable person for permissions, recertification, and decommissioning.
- Embed agent offboarding into employee leaver processes When a staff member leaves or changes role, force a check for any AI agents they created or operate, then reassign or deactivate those identities before access persists.
- Move from static roles to policy-based controls Use RBAC, ABAC, and rule-based policies to express task scope, data sensitivity, and risk level so access decisions can adapt as agent context changes.
What's in the full article
Nexis's full article covers the operational detail this post intentionally leaves for the source:
- A fuller walkthrough of the ownership model for AI agents inside IAM and GRC structures
- The article's intent hierarchy table showing how organisational, role-based, developer, and user intent interact
- Nexis's discussion of external AI services as third-party governance problems rather than internal automation
- The vendor's own examples of how Policy-Based Authorization can be mapped into existing IGA systems
👉 Read Nexis's analysis of AI agent governance beyond discovery →
AI agent governance: why discovery is not enough?
Explore further
27/06/2026 2:09 pm
Discovery is now table stakes, but accountability is the missing control. The article is right to separate visibility from governance. Seeing an AI agent does not answer the IAM questions that matter: who owns it, what policy constrains it, and when its access must be withdrawn. The field should stop treating inventory as maturity, because governance begins only when identity is tied to responsibility and lifecycle.
A few things that frame the scale:
- NHIs exceed human identities in organizations today by a factor of 50 to 100, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows that governance confidence is still lagging behind identity growth.
A question worth separating out:
Q: How should IAM and GRC teams divide responsibility for AI agent governance?
A: IAM should manage identity, entitlement, and enforcement, while GRC should define policy, risk classification, and review cadence. For AI agents, those two functions must meet in the middle because access is both a technical and a governance issue. If they stay separate, agent oversight becomes fragmented and the review process loses effectiveness.
👉 Read our full editorial: AI agent governance needs ownership, not just discovery
