Notifications
Clear all
Topic starter
03/06/2026 11:00 am
TL;DR: AI agents and shadow AI are pushing identity programmes beyond human-centric assumptions, because agents can discover entitlements, probe permissions, and use access at machine speed, according to SailPoint. The central problem is that access review, trust, and governance models built for people do not hold when the actor can choose and execute actions independently.
NHIMG editorial — based on content published by SailPoint: A day in the life with AI-powered identity security, securing your AI workforce
By the numbers:
- AI agents and shadow AI are driving 144:1 non-human-to-human identity ratios in enterprise environments.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
A: Treat the agent as a shared access surface, not a standalone workload.
Q: Why do AI agents make over-provisioning more dangerous than with human users?
A: Because agents can inspect entitlements and act on them at machine speed without the human hesitation that often limits real-world misuse.
Q: What do organisations get wrong about shadow AI governance?
A: They often try to block unsanctioned tools at the network layer without changing employee behaviour or providing an approved alternative.
Practitioner guidance
- Map inbound access paths for every AI agent Document which humans, service accounts, APIs, and other agents can invoke each agent and inherit or influence its permissions.
- Reduce entitlement sets before production use Remove unused permissions from agents and machine accounts before allowing them to reason over tools or data at runtime.
- Add data context to access certification Require reviewers to see what data an identity can reach, not just that the entitlement exists, before approving access.
Teams that keep identity, data, and response in separate operating models will continue to miss how access is actually being exercised?
👉 Read SailPoint's analysis of securing the AI workforce and shadow AI →
Explore further
03/06/2026 11:02 am
AI workforce governance is now an identity architecture problem, not an AI policy problem. The article shows that AI tools, machine accounts, and human users are converging on the same resource set, which makes separate controls brittle. When one identity type can inherit the permissions of another, governance decisions must be made on the delegation chain, not on the label of the actor. Practitioners should treat unified identity governance as the baseline rather than an integration goal.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How do security teams respond when an AI agent needs to be contained quickly?
A: Containment should include pausing the agent and removing the access it can exercise, not just turning off execution. If permissions remain active, the investigation is still exposed to the same risk. A practical response plan needs quarantine, deprovisioning, and an investigation path that preserves evidence.
👉 Read our full editorial: AI workforce governance is collapsing human and machine silos
