Notifications
Clear all
Topic starter
14/05/2026 12:51 pm
TL;DR: Gartner’s Preemptive Exposure Management research says AI agent security is now a distinct exposure domain, and that generalist platforms cannot secure the unique attack surface of AI systems, as organizations fund domain-specialized coverage for agents, MCP servers, and NHIs. The real shift is governance: blast radius is defined by delegated credentials, not by the agent alone.
NHIMG editorial — based on content published by Gartner: Emerging Tech: Top Funded Startups for Preemptive Exposure Management
By the numbers:
- The DSEM category attracted $2.1 billion in venture investment between 2023 and 2026, reflecting strong market concentration around AI agent exposure management.
Questions worth separating out
Q: How should security teams govern AI agent credentials in enterprise environments?
A: Treat agent credentials as non-human identities with scoped authority, not as ordinary application secrets.
Q: Why do AI agents create more exposure than traditional service accounts?
A: AI agents can combine credentials, tools, and autonomous decision-making, which expands reach beyond a single static entitlement.
Q: What is the difference between secret management and NHI governance for AI agents?
A: Secret management protects the credential itself, while NHI governance controls what the credential can do, where it can be used, and when it should be revoked.
Practitioner guidance
- Map every agent credential to reachable systems Build an inventory of OAuth tokens, service accounts, certificates, and API keys used by AI agents, then tie each one to the systems it can reach.
- Apply least privilege to agent task scope Reduce permissions until each agent can only complete the workflow it was assigned.
- Validate whether exposures are actually exploitable Do not stop at discovery.
As agent adoption grows, the governance programme needs to shift from periodic review to continuous containment, or the control gap will widen faster than remediation can close it?
👉 Read Gartner's Preemptive Exposure Management report on AI agent exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 12:52 pm
A few things worth adding from our research at NHI Mgmt Group.
AI agent exposure is now an NHI governance problem, not just an application-security problem. The core issue is delegated authority. When an autonomous agent holds tokens, certificates, or service accounts, it inherits the ability to act across systems faster than conventional review cycles can keep up. That makes the governance question identity-centric from the start. Practitioners should treat agent access as first-class NHI risk, not as a feature of the application layer.
A few things that frame the scale:
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to Guide to the Secret Sprawl Challenge.
- Claude Code-assisted commits leaked secrets at a rate of 3.2%, more than double the human-only baseline of 1.5%, showing that AI-assisted development can amplify exposure pathways.
A question worth separating out:
Q: When should organisations use runtime authorization for AI agents?
A: Use runtime authorization when agent behavior can change based on context, tools, or delegated workflows. Static approvals are too coarse when an agent can act across multiple systems in minutes. Runtime checks help keep privilege proportional to the current task and reduce the chance that a one-time approval becomes persistent excess access.
👉 Read our full editorial: AI agent exposure is becoming a distinct NHI security domain
