Notifications
Clear all
Topic starter
04/06/2026 6:49 pm
TL;DR: AI agents are becoming the dominant attack surface because they retrieve data, call tools, and take actions across enterprise systems, while legacy DLP, DSPM, and IAM controls were built for users and static workloads, according to Cyera. The core issue is not just visibility, but governance of non-human identities whose runtime decisions expand blast radius faster than review processes can keep up.
NHIMG editorial — based on content published by Cyera: The Future of AI Data Security: Trends, Tools, and Technologies to Watch
By the numbers:
- The Cloud Security Alliance puts the ratio of NHIs to humans at 10x to 50x in most enterprises, and it's accelerating as agents scale.
Questions worth separating out
Q: How should security teams govern AI agents that can reach sensitive data?
A: Treat each agent as a non-human identity with explicit data reach, not just application access.
Q: Why do AI agents change identity governance requirements?
A: AI agents change governance because they do not merely hold access, they exercise it dynamically.
Q: What breaks when DLP and DSPM are built only for users and files?
A: They miss the chain of authenticated actions that an agent performs across systems.
Practitioner guidance
- Map each agent to its reachable data Create an inventory that links every agent, model, and workflow identity to the sensitive datasets, APIs, and systems it can reach.
- Separate prompt inspection from runtime policy Test whether your controls can evaluate retrievals, tool calls, and agent-to-agent handoffs before the action completes.
- Use blast-radius questions in access reviews Ask what data the agent can touch today, what it touched in the last 24 hours, and whether that remains consistent with its intended purpose.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor breaks down agent inventory, posture, runtime, and endpoint controls into a single AI security stack.
- The specific examples of tool-call, retrieval, and agent-to-agent handoff monitoring that go beyond prompt scanning.
- The article's view of how AI-SPM and DSPM are converging in enterprise security programmes.
- The closing assessment of what security leaders should measure in the next 12 to 18 months.
👉 Read Cyera's analysis of the future of AI data security and agent risk →
AI agents and NHI governance: what changes for security teams?
Explore further
04/06/2026 7:02 pm
AI agents are now the most important non-human identity problem because their permissions have operational consequences, not just access consequences. The article is right to move the centre of gravity away from prompt safety and toward identity and data reach. Once an agent can retrieve, decide, and act, the question is not whether it logged in, but how far its authority extends at runtime. For practitioners, this means NHI governance must be measured in reachable data and executable actions, not only credential inventory.
A few things that frame the scale:
- 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
- 57% of organisations lack a complete inventory of their machine identities, which is why discovery alone is not yet governance.
A question worth separating out:
Q: How do security teams know if agent governance is actually working?
A: It is working only if the team can answer three questions quickly for any agent: what it can reach, what it did recently, and whether that behaviour matches intent. If any of those answers require manual reconstruction, governance exists on paper but not in operations.
👉 Read our full editorial: AI agents are reshaping data security and NHI governance
