Notifications
Clear all
Topic starter
06/06/2026 2:23 am
TL;DR: AI agents are already embedded across enterprise workflows, unsanctioned agents are appearing before governance is in place, and scope violations are now routine rather than exceptional, according to a CSA and Zenity survey of 445 IT and security professionals. Existing compliance frameworks are helping define oversight, but they are not closing the operational gap.
NHIMG editorial — based on content published by Zenity: AI Agents Are Already Running the Enterprise. Security Hasn't Caught Up
By the numbers:
- The report is based on 445 IT and security professionals across organizations of varying sizes and industries.
Questions worth separating out
Q: How should security teams govern AI agents that can act across multiple systems?
A: Security teams should govern AI agents as active identities with named ownership, bounded action rights, and a documented offboarding path.
Q: Why do AI agents create more governance risk than standard automation?
A: AI agents create more governance risk because they can choose actions at runtime, use tools dynamically, and continue execution without a human approval gate between steps.
Q: What do security teams get wrong about AI agent scope control?
A: Teams often assume a task description is enough to define privilege.
Practitioner guidance
- Inventory every AI agent as a governed identity Create a live register that captures owner, data access, connected tools, approval path, and offboarding condition before production use.
- Tie each agent to an approved action boundary Define the exact actions an agent may take and block escalation from read-only to write or from advisory to transactional use unless a separate review approves that change.
- Measure scope violations as a control signal Track when an agent performs an action outside its declared task, especially record modification, quote requests, ticket changes, or unplanned tool calls.
What's in the full report
Zenity's full report covers the operational detail this post intentionally leaves for the source:
- The breakdown of how many organisations already have unsanctioned agents in production and how that scales by company size.
- The incident timing data showing how long teams take to detect and contain agent scope violations once they occur.
- The survey breakdown across IT, security, engineering, customer service, and executive workflows, useful for benchmarking internal rollout patterns.
- The compliance mapping detail showing which frameworks organisations are using to justify oversight and where the readiness gap remains.
👉 Read Zenity's full report on enterprise AI agents and security readiness →
AI agent scope violations are the governance gap teams are missing?
Explore further
06/06/2026 4:02 am
AI agents are becoming governance subjects before they are governance objects. The article shows organisations are already deploying agents into daily work while visibility, ownership, and response structures remain incomplete. That means the field is no longer debating adoption, but struggling to govern behaviour that is already live. Practitioners should treat agent identity as an active governance domain, not an emerging pilot category.
A few things that frame the scale:
- 1 in 4 organisations is already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security.
- Our research also shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a familiar visibility failure pattern for unmanaged non-human access.
A question worth separating out:
Q: Who is accountable when an unsanctioned AI agent causes an incident?
A: Accountability should sit with the business and technical owner who allowed the agent to connect to enterprise systems, plus the control owners responsible for approval and monitoring. If no owner is named, accountability is already broken and incident response will be slower than it should be.
👉 Read our full editorial: AI agents are already outpacing enterprise security controls
