Notifications
Clear all
Topic starter
08/06/2026 4:48 pm
TL;DR: Agentic AI security requires authenticating, authorising, and auditing autonomous agents as first-class identities, because non-human identities already outnumber humans by about 50:1 and 80% of IT leaders report agents acting outside expected behaviour, according to Strata Identity and cited research. Existing IAM models break when agents act at machine speed across clouds and delegate work without stable human oversight, making runtime governance mandatory.
NHIMG editorial — based on content published by Strata Identity: agentic AI security and identity orchestration for autonomous agents
Questions worth separating out
Q: How should security teams govern AI agents that can act across multiple systems?
A: Security teams should govern AI agents as first-class identities with explicit delegation, runtime policy, and full audit trails.
Q: Why do AI agents challenge existing IAM and NHI controls?
A: AI agents challenge existing IAM and NHI controls because they do not behave like static users or long-lived service accounts.
Q: What breaks when AI agent access is reviewed only on a schedule?
A: Scheduled access review breaks because the agent may have already completed the risky action before the review happens.
Practitioner guidance
- Inventory agent-facing identities and delegation paths Map every AI agent to the user, workload, or service account that authorises it, including the systems it can reach and the boundaries it crosses.
- Shift from sign-in checks to runtime policy enforcement Apply policy during execution, not only at provisioning or login.
- Adopt just-in-time provisioning for ephemeral agent tasks Issue access only for the duration and scope of the task, then withdraw it automatically when the task ends.
What's in the full article
Strata Identity's full article covers the operational detail this post intentionally leaves for the source:
- The eight strategy breakdown with implementation-oriented framing for AI agent identity.
- The Identity Orchestration architecture used to unify policy and audit across actor types.
- The examples of hybrid, disconnected, and cross-cloud agent environments that drive the control model.
- The product-oriented discussion of how the proposed architecture maps to enterprise deployment choices.
👉 Read Strata Identity's analysis of agentic AI security and identity orchestration →
AI agent identity and runtime control: what IAM teams need now?
Explore further
08/06/2026 6:38 pm
Agentic AI breaks the assumption that access can be safely reviewed after the fact. Access review cycles were designed for identities whose privileges persist long enough to be observed, recertified, and withdrawn. When an autonomous agent can acquire, use, and discard access within the same session, the review artefact arrives after the decision has already mattered. The implication is that governance built around periodic review is no longer sufficient for agentic execution.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope, which means the issue is already measurable and not theoretical.
A question worth separating out:
Q: How can organisations prove what an AI agent did and why it did it?
A: Organisations need end-to-end action traceability that links the initiating user or system, the delegation chain, the runtime policy decision, and the final outcome. Without that chain, you can see activity but not accountability. This is essential for incident response, compliance, and post-event investigation.
👉 Read our full editorial: Agentic AI security needs first-class identity and runtime control
