Notifications
Clear all
Topic starter
28/05/2026 11:37 am
TL;DR: Only 17% of organisations govern AI identities the same way they govern human identities, leaving agents free to accumulate privileges, expand scope, and act at machine speed, according to Saviynt. That gap makes lifecycle governance, not just runtime policy, the central control problem for agentic AI security.
NHIMG editorial — based on content published by Saviynt: From Code to Decommissioning: How Saviynt and LangChain Are Securing the AI Agent Lifecycle
By the numbers:
- Only 17% govern their AI identities in the same fashion as their human counterparts.
Questions worth separating out
Q: How should security teams govern AI agents across their full lifecycle?
A: Treat AI agents as non-human identities with an owner, a defined purpose, least-privilege access, runtime policy checks, and a retirement process.
Q: When does runtime enforcement matter more than static permissions for AI agents?
A: Runtime enforcement matters whenever an agent can make contextual tool calls or change behavior after provisioning.
Q: What is the difference between AI agent governance and traditional IAM?
A: Traditional IAM usually focuses on humans and stable accounts with periodic review cycles.
Practitioner guidance
- Assign an owner to every AI agent Make ownership mandatory at creation time so every agent has a named business or technical accountable party, a review cadence, and a clear decommission path.
- Enforce least privilege at agent creation Require explicit scope boundaries, tool entitlements, and approval for any access beyond the initial task, using the same review discipline you would apply to sensitive service accounts.
- Add policy checks before every tool call Place a runtime decision point in the action path so policy can block drift, unexpected context, or stale authorization before the agent reaches an external system.
Security teams should prepare for agent governance to show up as an identity inventory problem as much as a runtime enforcement problem?
👉 Read Saviynt's analysis of AI agent governance from code to decommissioning →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
28/05/2026 11:42 am
AI agents should be governed as non-human identities, not as software convenience layers. The core mistake in most programs is treating the agent as a development artifact instead of an identity with authority. Once an agent can authenticate, call tools, and reach data, it becomes a governance object with the same lifecycle obligations as a service account. Practitioners should build around that assumption rather than trying to special-case the agent category.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves most NHI estates only partially governed.
A question worth separating out:
Q: Why do AI agents create new risk even when they are short-lived?
A: Short-lived agents can still create long-lived risk if they receive broad credentials, touch sensitive systems, or leave incomplete audit trails. The duration of execution is less important than the authority exercised during that window. Practitioners should judge risk by the blast radius of the identity, not just by how long the code runs.
👉 Read our full editorial: AI agent lifecycle governance is the new identity control plane
