Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agents, zero trust, and the governance gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Forrester Summit coverage says security leaders are balancing enterprise, ecosystem, and external risk while AI agents rapidly reshape operations, with 32% of respondents seeing critical risk events rise year-over-year and 41% naming cyberattacks the top risk event, according to Elisity. The real issue is that governance, identity, and Zero Trust controls still assume slower, human-paced decision cycles that agentic systems do not follow.

NHIMG editorial — based on content published by Elisity: Day 1 at Forrester Security & Risk Summit 2025, focusing on AI agents, Zero Trust, and what's coming

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can take action in production?

A: Security teams should govern AI agents as non-human identities with bounded runtime authority, explicit task scope, and revocation points.

Q: Why do AI agents complicate Zero Trust and least privilege?

A: AI agents complicate Zero Trust because they compress decision, access, and execution into one runtime loop.

Q: What do teams get wrong about AI-assisted remediation?

A: Teams often assume AI-assisted remediation is only a speed problem, when the deeper issue is trust in the underlying ownership data.

Practitioner guidance

  • Re-baseline agent authority by task, not by role Define the minimum runtime permissions each AI agent needs for a single workflow, then revoke or isolate anything that is not required before the next execution cycle.
  • Map Zero Trust ownership across all three governance layers Assign clear owners for strategy, policy design, and real-time enforcement so identity, network, and data controls do not fragment across teams.
  • Instrument AI-assisted remediation with verified ownership data Require validated asset, code owner, and dependency records before an AI-generated action is approved or executed in production.

What's in the full article

Elisity's full post covers the operational detail this summary intentionally leaves for the source:

  • The summit session-by-session context behind AEGIS, Zero Trust governance, and proactive security.
  • The specific operational trade-offs discussed for AI agents, including temporary authority, documentation, and guardrails.
  • The full set of examples and metrics tied to remediation speed, vendor evaluation, and governance alignment.
  • The practical framing used by the speakers to connect enterprise, ecosystem, and external risk into one operating model.

👉 Read Elisity's coverage of AI agents, Zero Trust, and Summit governance themes →

AI agents, zero trust, and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI agents turn governance from periodic review into continuous containment. The summit's framing confirms that security leaders are no longer dealing only with static NHI sprawl, but with identities that can decide, retry, and chain actions mid-session. That shifts the question from whether an access grant is approved to whether the programme can survive a decision loop that moves faster than review cadences. Practitioners should treat agentic behaviour as a containment problem, not a scheduling problem.

A few things that frame the scale:

  • 23.5% of security professionals are unsure about the biggest threat to their non-human identities, indicating a significant awareness gap, according to The 2024 Non-Human Identity Security Report.
  • Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.

A question worth separating out:

Q: How do organisations prevent governance drift when third parties are involved?

A: Organisations prevent governance drift by assigning ownership across the enterprise, ecosystem, and external layers before exceptions accumulate. Third-party access, partner workflows, and shared integrations need the same identity scrutiny as internal systems, but with tighter limits on default trust. Without that, policy gaps appear first at the boundary.

👉 Read our full editorial: AI agents and zero trust are colliding with old governance models



   
ReplyQuote
Share: