Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent identity governance and OWASP support: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: A broader shift in AI agent security toward open, community-driven standards is reflected by Cyata’s OWASP corporate supporter status, according to CYATA. The source argues that autonomous agents create new governance gaps around access, data handling, and attributable action, and the implication is that agent identity must be governed as a first-class control plane, not treated as an extension of traditional app security.

NHIMG editorial — based on content published by CYATA: Cyata becomes OWASP Corporate Supporter, reinforcing commitment to open security practices as AI agents reshape organizations

Questions worth separating out

Q: How should security teams govern AI agent identities across enterprise systems?

A: Security teams should treat AI agents as governed identities with ownership, classification, and scoped access.

Q: Why do AI agents create more identity risk than ordinary automation?

A: AI agents create more identity risk because they can change actions, timing, and tool use at runtime.

Q: What do teams get wrong about AI agent access controls?

A: Teams often assume that registering an agent once is enough to control it.

Practitioner guidance

  • Inventory AI agent identities continuously Build a live register of agents, associated credentials, connected tools, and current data scopes.
  • Bind policy to runtime posture Move beyond onboarding checks and apply controls that adjust when an agent’s context, tool set, or data access changes.
  • Separate agent privileges by task and data class Limit each agent to the smallest practical set of tools, environments, and datasets needed for the current job.

What's in the full article

Cyata's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor frames posture-first control for agentic identity across discovery, explanation, and enforcement.
  • The specific OWASP community context behind its corporate supporter position and why that matters for standards work.
  • The vendor's own view of what a control plane for agentic identity should include in practice.
  • How Cyata positions agent governance relative to open collaboration and community-driven security practices.

👉 Read CYATA's analysis of AI agent identity governance and OWASP support →

AI agent identity governance and OWASP support: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

AI agent identity is now an NHI governance problem, not just an appsec concern. Once an agent can hold credentials, act across systems, and make independent runtime decisions, the identity question moves out of the application layer and into governance. That is why posture, attribution, and access scope become the primary control points. Practitioners should treat agent identity as an operational class in IAM, IGA, and PAM programmes.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 44% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Who should own AI agent identity governance in an organisation?

A: Ownership should sit across IAM, security architecture, and the business team that uses the agent. IAM defines the identity model, security sets control requirements, and the business owner validates purpose and acceptable access. Without named ownership, agents become shadow identities with unclear accountability and weak offboarding. Suggested anchor: named ownership.

👉 Read our full editorial: AI agent identity governance moves toward open standards at OWASP



   
ReplyQuote
Share: