Notifications
Clear all
Topic starter
12/06/2026 9:46 pm
TL;DR: AI agent security is now being shaped by public research, standards work, open-source tooling, and practitioner community building, according to Zenity Labs, with contributions to MITRE ATLAS, OWASP projects, and NIST policy discussions. The central issue is no longer awareness but whether identity and authorization models can keep pace with agentic behaviour.
NHIMG editorial — based on content published by Zenity: Zenity Labs: The Bleeding Edge
By the numbers:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern AI agents that can call tools and take actions on their own?
A: Security teams should govern autonomous agents as identity-bearing actors, not as ordinary applications.
Q: Why do AI agents create new IAM and NHI governance problems?
A: AI agents create new governance problems because they can move from request to execution without the fixed patterns that traditional IAM assumes.
Q: What do security teams get wrong about AI agent risk management?
A: Teams often treat agent risk as a tooling issue when it is really a governance issue.
Practitioner guidance
- Map agent decision authority separately from application access Document which agents can choose tools, trigger actions, and chain steps without human approval.
- Align internal policy to external agent security standards Crosswalk your current controls to the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework, then record where agent-specific requirements are still missing.
- Use inspectable research methods for agent attack-surface testing Require repeatable testing for agent prompts, tool use, delegation paths, and connector exposure so security teams can reproduce findings internally.
What's in the full article
Zenity's full blog post covers the operational detail this post intentionally leaves for the source:
- Examples of the research, standards, and community initiatives mentioned in the Labs model
- The specific ways Zenity Labs contributes to OWASP, MITRE ATLAS, and NIST workstreams
- Details on the open-source tools and community programmes the article references
- Background on the AI Agent Security Summits and 0-dAI community roadmap
👉 Read Zenity's analysis of its AI agent security research, standards, and community work →
AI agent security research and standards: what practitioners need now?
Explore further
13/06/2026 12:05 am
AI agent security is becoming an identity governance discipline, not a niche AI issue. Zenity Labs' research, standards, and community model shows that the field is converging on governance, not just detection. Once agents can select tools and initiate actions, the question becomes who can authorize, review, and constrain those actions across the lifecycle. Practitioners should treat this as a cross-programme identity problem spanning NHI, IAM, and emerging agentic controls.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including unauthorised system access, sensitive data sharing, and revealing credentials.
A question worth separating out:
Q: Who should be accountable when an AI agent behaves outside policy?
A: Accountability should sit with the team that owns the agent, its permissions, and the business process it supports. If an autonomous system can act without approval, governance must define who reviews its scope, who can suspend it, and who signs off on its offboarding. Without that clarity, incidents become ownership disputes.
👉 Read our full editorial: Zenity Labs shows how AI agent security is becoming a field
