Notifications
Clear all
Topic starter
11/06/2026 10:59 pm
TL;DR: AI agents are shifting from configured tools to purchasable units of work, and Gathid argues that CMOs need identity clauses, auditability, rotation APIs, consent handling and performance SLAs before agent adoption scales. The governance model now has to treat agents as first-class identities, because speed without identity safety turns procurement into an access risk.
NHIMG editorial — based on content published by Gathid: AI agents will be bought as work units, not just deployed as tools
By the numbers:
- By 2028, enterprises are expected to spend over $680 billion annually for AI systems.
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.
Questions worth separating out
Q: How should organisations govern AI agents that act as business units of work?
A: Organisations should govern AI agents as first-class non-human identities.
Q: Why do AI agents create new identity governance risk in procurement?
A: AI agents turn access into a bought service, which can hide who is responsible for the identity, what it may do, and how it is removed.
Q: What breaks when agent access cannot be revoked quickly?
A: When agent access cannot be revoked quickly, business errors can compound at machine speed across publishing, pricing, data updates, or customer interactions.
Practitioner guidance
- Write identity clauses into agent contracts Define who owns the agent, what it can do, which approvals it bypasses, and how quickly access can be revoked if it drifts outside scope.
- Separate propose and publish rights Ensure no agent identity can both generate and approve the same action.
- Require tamper-evident audit trails Demand logs that capture inputs, outputs, policy context, and provenance in a form that exports into your governance and audit stack.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- Practical RFP language for identity clauses, auditability, consent handling, and off-switch rights
- Outcome-based SLAs for agent performance, revocation velocity, and provenance coverage
- Federated sharing patterns for keeping customer data in place while agents request controlled views
- Governance language for legal, procurement, and brand owners that turns agent risk into contract terms
👉 Read Gathid's analysis of AI agent procurement and identity safety →
AI agent procurement and identity safety: what do teams need to know?
Explore further
12/06/2026 7:27 am
Identity safety is becoming a procurement control, not a post-deployment cleanup task. The article correctly frames AI agents as units of work that must be contracted, scoped, and governed before they are put into production. That shifts identity decisions upstream into sourcing, legal, and procurement, where ownership and control terms can still be written into the deal. Practitioners should treat agent identity clauses as part of buying the service, not as an implementation detail after onboarding.
A few things that frame the scale:
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to 2025 State of NHIs and Secrets in Cybersecurity.
- 91% of former employee tokens remain active after offboarding, according to 2025 State of NHIs and Secrets in Cybersecurity, which shows how weak lifecycle closure can outlive the original trust decision.
A question worth separating out:
Q: Who is accountable when an AI agent causes brand or compliance harm?
A: Accountability should rest with the business owner, the system sponsor, and the control owners who approved the agent’s scope and lifecycle. If no one can produce the logs, approvals, and revocation record, the organisation has an accountability gap, not just a tooling gap.
👉 Read our full editorial: AI agent marketplaces turn identity safety into a procurement issue
