Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance and shadow AI: what IAM teams need to see


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI governance is already colliding with shadow AI, missing API specs, and unpredictable token costs as enterprises deploy agents faster than controls can centralise, according to Kong. The real issue is not AI enthusiasm but the fact that governance, security, and cost control are still being treated as add-ons instead of foundation design.

NHIMG editorial — based on content published by Kong: The AI Governance Wake-Up Call

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can call APIs and models directly?

A: Security teams should govern AI agents through central policy enforcement, scoped access, and complete logging at the gateway or control plane.

Q: Why do AI agents create new identity and access management risks?

A: AI agents create new identity and access management risks because they can initiate actions, select tools, and consume data at runtime across multiple systems.

Q: What breaks when AI governance is left to individual teams?

A: What breaks is accountability.

Practitioner guidance

  • Map every AI entry point to an owner Inventory direct model calls, MCP servers, agent runtimes, and gateway paths, then assign a single accountable owner for each path.
  • Bind AI access to policy at the gateway Enforce allowlists, scopes, request validation, and logging at the point where agents reach models or downstream APIs.
  • Classify AI traffic by identity, not just application Track which service accounts, API clients, or agent identities are invoking workloads, and tie each one to a lifecycle record for review, offboarding, and audit.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

  • Specific examples of how teams are centralising AI traffic through gateways and control points.
  • Implementation details on LLM request validation, routing, and rate limiting for enterprise AI traffic.
  • Customer examples showing how governance, observability, and cost controls were applied in practice.
  • The article's full discussion of organisational ownership, including where AI governance should sit.

👉 Read Kong's analysis of AI governance, shadow AI, and token cost control →

AI governance and shadow AI: what IAM teams need to see?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI governance is becoming an identity governance problem before it becomes an AI tooling problem. Once agents can call models, APIs, and data sources directly, the real control question shifts from model quality to who or what is authorised to act. That makes policy, logging, and lifecycle oversight the foundation, not the afterthought. Practitioners should stop treating AI traffic as a separate universe from IAM and NHI governance.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.

A question worth separating out:

Q: Who should own AI governance in the enterprise?

A: AI governance should be owned jointly, but with a single operating model that spans platform engineering, security, IAM, and finance. If ownership is split without shared controls, the organisation gets inconsistent policy enforcement and no reliable audit trail.

👉 Read our full editorial: AI governance is becoming an API and identity problem



   
ReplyQuote
Share: