AI authorization gap: are your controls keeping up with agents?

TL;DR: Gartner projects AI governance spending will reach $492 million in 2028 and exceed $1 billion by 2030, while regulation is expected to extend to 70% of global economies by decade end, underscoring the gap between visibility and runtime control according to EnforceAuth. The real issue is that point-in-time audits and policy tracking do not continuously authorize what AI is allowed to do.

NHIMG editorial — based on content published by EnforceAuth: Gartner's AI governance research and the authorization gap analysis

By the numbers:

• Gartner projects that AI governance spending will hit $492 million in 2028 and surpass $1 billion by 2030.
• AI regulation will quadruple, extending to 70% of the world's economies by the end of the decade.

Questions worth separating out

Q: How should security teams implement AI authorization alongside AI governance?

A: Security teams should split the problem into two layers.

Q: Why do point-in-time audits fall short for AI systems?

A: Point-in-time audits only capture a snapshot of access and behaviour, but AI systems can change context between actions.

Q: What do security teams get wrong about AI safety controls?

A: Teams often assume content filters, guardrails, and alignment checks also secure operations.

Practitioner guidance

• Separate governance from enforcement Map inventory, risk, and compliance controls to governance, then document the runtime authorization control that actually blocks or allows each AI action.
• Test for continuous authorization Review each AI workflow for the exact moments where context changes, such as data classification, tool selection, or downstream delegation, and require a fresh authorization decision at those points.
• Move policy into code Store AI authorization logic in version control so teams can review changes, test policy before release, and preserve portability across platform shifts.

What's in the full article

EnforceAuth's full analysis covers the operational detail this post intentionally leaves for the source:

• How the vendor maps authorization across applications, infrastructure, data, and AI workloads in one control model
• The policy-as-code workflow it recommends for versioning, testing, and deploying AI authorization rules
• Specific guidance on evaluating vendor consolidation risk and policy portability during platform selection
• The article's interpretation of Gartner's governance findings and how the vendor positions runtime enforcement against point-in-time audits

👉 Read EnforceAuth's analysis of the AI governance authorization gap →

AI authorization gap: are your controls keeping up with agents?

Explore further

View Full Forum →  |  NHI Foundation Course →