Notifications
Clear all
Topic starter
24/06/2026 6:57 pm
TL;DR: Employee-built agents are already operating inside enterprises with broad access, unclear ownership, and little oversight, and Aizome argues that BYOA creates a governance gap larger than the earlier BYOD problem. The issue is not just more automation but a control model built for static devices facing runtime-adapting actors that reason and act independently.
NHIMG editorial — based on content published by Aizome: Meet BYOA, the shadow AI agent problem that makes BYOD look simple
Questions worth separating out
Q: How should security teams govern employee-built AI agents without blocking adoption?
A: Treat employee-built agents as governed identities, not informal productivity tools.
Q: Why do AI agents create more risk than traditional automation workflows?
A: AI agents create more risk because their access and actions can change at runtime, rather than following a fixed script.
Q: What breaks when agents are reviewed only through entitlement lists?
A: Entitlement-only review misses inherited trust, scope drift, and cross-system reach.
Practitioner guidance
- Inventory every employee-built agent automatically Discover agents through connected systems, execution logs, and identity telemetry rather than waiting for teams to self-report them.
- Map delegation chains before granting operational trust Trace how an agent receives data, tools, and authority from humans or other agents, then identify where inherited trust expands the effective access path.
- Set behavioural baselines for runtime review Record what each agent normally accesses, which tools it invokes, and which workflows it executes, then alert when those patterns change.
What's in the full article
Aizome's full blog post covers the operational detail this post intentionally leaves for the source:
- How Aizome proposes discovering employee-built agents automatically across business units and enterprise platforms
- The three BYOA failure modes in more implementation detail, including the inherited trust pattern
- The runtime control model the vendor recommends for intent-layer enforcement
- The article's BYOD comparison framework, which expands on why device-era controls do not transfer cleanly to agents
👉 Read Aizome's analysis of BYOA and shadow AI agent governance →
BYOA shadow AI agents: what IAM teams are missing now?
Explore further
25/06/2026 4:00 am
BYOA is not a tooling problem. It is a governance model failure. Security teams are treating employee-built agents as if they were just another automation layer, but the article shows that the real issue is uncontrolled identity creation at the edge of the business. When a finance, sales, or IT team can stand up an agent with enterprise access in an afternoon, central governance has already lost the first decision point. The practical conclusion is that agent governance must begin at creation, not at audit.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should be accountable when an employee-built agent causes a security incident?
A: Accountability should sit with the human owner who approved the use case, the system owner that exposed the data or action path, and the security function that defined the control standard. Without a clear ownership chain, the organisation cannot assign containment, review, or remediation responsibilities after the incident.
👉 Read our full editorial: BYOA exposes a larger governance gap than BYOD ever did
