Notifications
Clear all
Topic starter
04/06/2026 3:01 pm
TL;DR: Government guidance from CISA, the NSA, and other agencies treats AI as a cybersecurity and resilience issue because agentic systems can retrieve data, invoke tools, and trigger workflows at machine speed, making identity and access the real control plane. Access review processes assume access persists long enough to be reviewed; autonomous actors can act, escalate, and vanish within a session.
NHIMG editorial — based on content published by Imprivata: new guidance on why identity and access are foundational to safe enterprise AI adoption
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams govern AI agent access in enterprise environments?
A: Security teams should govern AI agents as non-human identities with clear ownership, least privilege, short-lived credentials, and continuous auditability.
Q: Why do AI agents create more identity risk than ordinary automation?
A: AI agents create more identity risk because they can decide which tools to use, when to use them, and how to chain actions across systems.
Q: What breaks when AI agents are given broad inherited permissions?
A: Broad inherited permissions break the assumption that access is tied to a narrow business need.
Practitioner guidance
- Inventory every AI agent and workflow identity Map each agent to an owner, the credentials it uses, the data it can reach, and the systems it can invoke.
- Replace inherited access with task-scoped permissions Design permissions around the specific action and the specific context rather than mirroring a human role or a broad service account.
- Shorten credential lifetime and eliminate static secrets Use short-lived credentials, explicit revocation paths, and tighter token handling for every AI-connected workflow.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's breakdown of how CISA, NSA, and international guidance maps to enterprise AI control priorities
- Operational examples of where agentic AI crosses from productivity tooling into production security architecture
- A fuller list of IAM, PAM, and zero trust practices the vendor recommends for AI-connected workflows
- The source's own framing of governance questions for human oversight, auditability, and revocation
👉 Read Imprivata's analysis of AI agent identity governance and enterprise risk →
AI agent identity governance: are your controls keeping up?
Explore further
04/06/2026 3:15 pm
AI governance is now identity governance, not a separate discipline. The article's core point is that agentic systems reach into enterprise applications, data, and workflows through identities, permissions, and trust relationships. That means the governance question is no longer only what the model can do, but what the attached identity is allowed to do inside real systems. Practitioners should stop treating AI as an overlay and start treating it as another identity population under control.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when an AI agent takes an unsafe action?
A: Accountability should sit with the business owner of the agent, the team that provisioned the access, and the control owners responsible for monitoring and revocation. If no one can answer who approved the identity, the scope, and the oversight model, the governance framework is not complete enough for production.
👉 Read our full editorial: AI agent identity governance is now central to enterprise AI safety
