Notifications
Clear all
Topic starter
07/06/2026 8:51 pm
TL;DR: AI agents now create a security layer that can watch behaviour but cannot define authority, leaving enterprises with visibility into action and weak control over what those systems may access, according to WorkOS. The real issue is that monitoring tools do not replace authentication, authorization, or lifecycle governance for autonomous identities.
NHIMG editorial — based on content published by WorkOS: Zenity for AI Agent Security, features, pricing, and alternatives
Questions worth separating out
Q: How should security teams govern AI agents that have enterprise access?
A: Security teams should govern AI agents as non-human identities with explicit authentication, authorization, lifecycle, and audit controls.
Q: Why do AI agents create problems for traditional IAM programmes?
A: AI agents create problems because traditional IAM assumes access is relatively stable, attributable, and easy to certify over time.
Q: What breaks when observability is used instead of access control for AI agents?
A: What breaks is the security boundary itself.
Practitioner guidance
- Separate observability from authorization Map every AI agent control to one of three layers: discovery, policy enforcement, or runtime response.
- Inventory shadow AI across all deployment paths Track agents in SaaS-managed, home-grown, and device-based environments, then reconcile them against your identity inventory.
- Apply lifecycle governance to agent identities Require joiner-mover-leaver handling for AI agents just as you would for service accounts.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's feature-by-feature comparison between AI agent observability and foundational authentication infrastructure.
- The pricing and sales-motion details that matter when teams evaluate enterprise tooling beyond the strategy stage.
- The product-specific implementation context for WorkOS authentication, authorization, and audit logging in production environments.
- The article's own positioning on why the vendor sees identity control as the prerequisite layer for AI systems.
👉 Read WorkOS's analysis of Zenity's AI agent security approach and enterprise implications →
AI agent observability vs IAM controls: what teams are missing?
Explore further
08/06/2026 8:34 am
AI agent security is becoming an identity governance problem before it is a detection problem. The article shows a clear split between visibility tooling and enforceable access control. That split matters because most enterprise security programmes still treat monitoring as if it can compensate for undefined authority. The correct conclusion is that AI agents must be governed as identities, not just observed as software.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Should organisations separate AI agent monitoring from identity governance?
A: Yes. Organisations should separate AI agent monitoring from identity governance because they solve different problems. Monitoring answers what happened, while identity governance answers whether the action should have been possible. Keeping those functions distinct prevents teams from mistaking visibility for control and helps reduce over-permissioning.
👉 Read our full editorial: AI agent security exposes the gap between observability and IAM
