Notifications
Clear all
Topic starter
22/06/2026 9:55 am
TL;DR: Coding agents are entering enterprises as autonomous actors that can access repositories, execute commands, invoke APIs, and change infrastructure in chains of action, according to Zenity. Traditional identity, data, endpoint, and governance controls were built for discrete actions, not runtime behaviour across multiple systems, so access policy alone no longer captures the real risk.
NHIMG editorial — based on content published by Zenity: The Enterprise Just Got Its First Population of Autonomous Actors
Questions worth separating out
Q: How should security teams govern autonomous coding agents in enterprise environments?
A: Security teams should govern autonomous coding agents as behaviour-bearing identities, not as ordinary automation.
Q: Why do existing IAM controls struggle with autonomous agents?
A: Existing IAM controls struggle because they were designed to answer who can access what, not how an actor will behave after access begins.
Q: What breaks when governance is used as the main control for AI agents?
A: What breaks is the assumption that a governance approval can reliably predict safe runtime behaviour.
Practitioner guidance
- Map autonomous action chains Trace every step a coding agent can take after initial authorisation, including repository access, terminal execution, API calls, and infrastructure changes.
- Separate approval from enforcement Treat governance approval as one control layer and runtime enforcement as another.
- Limit task-scoped privileges Constrain agent permissions to the narrowest task and session context possible, and remove standing access wherever the workflow allows it.
What's in the full article
Zenity's full article covers the operational detail this post intentionally leaves for the source:
- The specific runtime behaviours that make coding agents different from ordinary automation.
- The practical security questions CISOs should ask before allowing agentic workflows into production.
- The article's own framing of why governance and security are different problems for autonomous actors.
- The context around how enterprises are already adopting these agents in development workflows.
👉 Read Zenity's analysis of autonomous coding agents and enterprise governance →
Autonomous coding agents: are enterprise controls keeping up?
Explore further
22/06/2026 10:35 am
Autonomous coding agents turn policy from a gate into a record of intent. Zenity’s framing is accurate because the real security problem is not whether the agent was approved, but whether approval means anything once the system begins composing its own sequence of actions. Identity and governance controls can still be satisfied while the agent behaves in ways that were never reviewed. The practitioner conclusion is that runtime behaviour, not pre-deployment approval, becomes the real control boundary.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 52% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which means the access model is already outpacing the control model.
A question worth separating out:
Q: Who should own risk decisions for autonomous coding agents?
A: Risk ownership should sit with the teams that can see both identity and execution, usually security, platform, and infrastructure owners working together. If ownership is split so that governance approves the agent but no one monitors its live actions, the organisation ends up with accountability on paper and no operational control.
👉 Read our full editorial: Autonomous coding agents expose the limits of enterprise governance
