Notifications
Clear all
Topic starter
08/06/2026 4:27 pm
TL;DR: AI systems and autonomous agents are creating rapidly expanding non-human identity populations, broad data access patterns, and new attack paths that existing governance models were not built to control, according to Clutch Security. The security assumption that machine identities can be discovered, reviewed, and constrained inside traditional cadence windows is breaking under AI-scale sprawl.
NHIMG editorial — based on content published by Clutch Security: The AI Domain: The Emerging Intelligence Frontier Where Agenticness Meets Attack Surface Explosion
Questions worth separating out
Q: How should security teams govern AI agents that access multiple enterprise systems?
A: Security teams should treat AI agents as high-privilege non-human identities with explicit ownership, scoped permissions, and lifecycle controls.
Q: Why do AI agents create a larger attack surface than ordinary automation?
A: AI agents can combine broad permissions, cross-system execution, and dynamic task behaviour in ways that ordinary automation does not.
Q: What do security teams get wrong about AI governance?
A: Teams often focus on model controls while ignoring identity controls.
Practitioner guidance
- Build a complete AI identity inventory Scan cloud, developer, and business-unit environments for AI services, agents, API keys, and service accounts.
- Separate AI agent permissions from general application access Review every AI-connected identity for cross-system write privileges, data-repository access, and delegated actions.
- Treat training data as a secrets boundary Search training corpora, prompts, and model outputs for embedded credentials, tokens, and sensitive records.
What's in the full article
Clutch Security's full research covers the operational detail this post intentionally leaves for the source:
- The article's domain-by-domain breakdown of where AI credentials are created, inherited, and lost across enterprise environments
- The vendor's recommended security workflow for AI-specific governance, discovery, lifecycle management, and monitoring
- Examples of AI agent privilege accumulation and business-process manipulation that help teams translate the findings into controls
- The article's framing for how AI domain risk cascades into broader NHI governance across the enterprise
👉 Read Clutch Security's analysis of AI domain attack surface explosion →
AI domain attack surface explosion: what IAM teams need to do?
Explore further
08/06/2026 6:06 pm
AI domain governance is now an identity problem before it is an AI problem. The article is right to frame the AI domain as an expanding attack surface, but the key discipline shift is that discovery, ownership, and lifecycle control now matter more than model novelty. When AI systems are created by business units and inherit credentials across multiple platforms, the governance question becomes who owns the identity, what it can touch, and when it should be removed. Practitioners should treat AI growth as NHI growth with extra volatility.
A few things that frame the scale:
- Most organizations are shocked to discover they have 3-5 times more AI deployments than they documented, according to Ultimate Guide to NHIs , 2025 Outlook and Predictions.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How can organisations reduce the risk of secrets in AI training data?
A: Organisations should treat training data, prompts, and outputs as part of the secrets management boundary. That means scanning for credentials before ingestion, controlling who can fine-tune or query models, and monitoring for sensitive data in generated responses. Once secrets enter the model lifecycle, they can persist beyond the original source system.
👉 Read our full editorial: The ai domain is forcing a new model for NHI governance
