Notifications
Clear all
Topic starter
02/06/2026 7:03 pm
TL;DR: Tool inventory can show which AI applications are in use, but it cannot explain which identities access them, what data they touch, or how sensitive that data is, according to Cyera. Without identity context, AI security remains a list, not a control model, and NHI risk stays hidden in machine-speed workflows.
NHIMG editorial — based on content published by Cyera: AI Visibility Without Identity Context Is Just a List
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
Questions worth separating out
Q: How should security teams govern AI applications that are used by service accounts and agents?
A: Start by tying each AI workflow to a named identity, an accountable owner, and a data classification.
Q: Why do AI tools create NHI governance blind spots?
A: Because tool visibility does not show who or what is using the tool, what data is being touched, or whether the access is persistent.
Q: What do security teams get wrong about Shadow AI?
A: They often treat Shadow AI as an approval problem for software, when it is usually also an identity problem.
Practitioner guidance
- Bind every AI workflow to an identity record Map each AI application to the service account, token, or agent that executes it, then document the business owner and the data sets it can reach.
- Classify data before approving AI access Require sensitivity tagging for the data behind each AI use case, including customer PII, source code, and regulated records.
- Correlate discovery with NHI inventory Join AI discovery output to service account inventories, API key usage, and agent telemetry so hidden access paths can be identified and removed.
Teams that build identity binding now will have a far better chance of containing AI-driven exposure later?
👉 Read Cyera's analysis of AI visibility without identity context →
Explore further
02/06/2026 7:21 pm
Identity-aware AI visibility is now a prerequisite for NHI governance. Security teams can no longer treat AI tooling, machine identities, and data exposure as separate concerns. When those signals are disconnected, organisations overestimate their control because they can name the tool but not explain the entitlement. The discipline now is to govern AI the way mature IAM programmes govern sensitive access, with identity, data, and context evaluated together. Practitioners should assume the lack of this linkage is already a control gap.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How do you know if AI access controls are actually working?
A: They are working only if you can answer three questions consistently: which identity accessed the system, which data it touched, and whether that access matched the intended business use. If audit logs cannot produce that chain, the control is partial and the exposure is still active.
👉 Read our full editorial: AI visibility without identity context leaves major NHI blind spots
