Notifications
Clear all
Topic starter
24/06/2026 6:53 pm
TL;DR: Opal’s CPO argues that access governance now has to cover humans, service accounts, and autonomous agents on one platform, because machine-speed identities can act without human approval and expose sensitive systems faster than quarterly review cycles can keep up, according to Opal Security. The governing assumption is collapsing: access can no longer be treated as stable long enough to review after the fact.
NHIMG editorial — based on content published by Opal Security: Building What’s Next, a conversation with CPO Sameer Mehta
Questions worth separating out
Q: How should security teams govern autonomous agents that can access production systems?
A: Treat autonomous agents as governed actors with explicit ownership, scoped privileges, runtime policy checks, and immediate containment options.
Q: Why do service accounts and AI agents complicate traditional access reviews?
A: Because access reviews assume entitlements remain stable long enough for a person to inspect them.
Q: What breaks when organisations use one IAM model for humans and non-human identities?
A: A single human-centric IAM model often breaks because it ignores runtime usage, machine-driven action paths, and the need for non-human containment.
Practitioner guidance
- Map every autonomous agent to an accountable owner Require each agent to have a named business owner, technical owner, and control boundary before it is allowed to reach production systems.
- Move privileged access checks to runtime Apply runtime approval or policy evaluation for sensitive actions rather than relying on periodic certification alone.
- Separate human, service account, and agent policy paths Do not recycle a single role model across different actor types.
What's in the full article
Opal Security's full article covers the operational detail this post intentionally leaves for the source:
- How Opal describes its access graph, policy-as-code workflow, and AI-native enforcement model in practice
- The product reasoning behind AI-guided access reviews and just-in-time access for mixed identity populations
- How the platform positions explainability, runtime control, and continuous access decisions for production environments
- The leadership perspective behind Opal's product roadmap and how it is prioritising agent governance
👉 Read Opal Security's conversation on AI-native access governance for humans, services, and agents →
AI-native access for agents and service accounts: what changes now?
Explore further
25/06/2026 3:53 am
Access governance built for review cycles breaks when the actor is autonomous: access review processes were designed for access that persists long enough to be observed, certified, and revoked later. That assumption fails when an agent can obtain, use, and discard access within a single session without human approval. The implication is not simply that teams need a faster review process, but that the review model itself no longer matches the behaviour being governed.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when an autonomous agent exceeds its intended access?
A: Accountability should sit with the team that approved the agent’s deployment and operating boundary, not with the agent itself. Organisations need a named owner, documented policy, and a containment path for when the actor behaves outside scope. Without that, incident response becomes a search for ownership instead of a control decision.
👉 Read our full editorial: Opal’s AI-native access model reflects the rise of agentic identity
