Notifications
Clear all
Topic starter
11/05/2026 8:41 pm
TL;DR: Microsoft Agent 365 adds identity primitives such as agent IDs, lifecycle rules, policy templates, risk-based access and auditability, but the control plane remains bounded by the Microsoft ecosystem while enterprise agents run across Azure, AWS, GCP, SaaS and CI/CD systems. The real security problem is cross-environment governance, not isolated agent administration.
NHIMG editorial — based on research published by Entro Security.
Questions worth separating out
Q: How should security teams govern AI agents across multiple clouds?
A: Start with a central inventory of every agent, its owner, its credentials and the systems it can reach.
Q: Why do AI agents create a bigger IAM problem than service accounts?
A: AI agents can change behaviour, call new tools and expand their access patterns faster than static service accounts usually do.
Q: What is the difference between agent identity governance and secrets management?
A: Secrets management protects the tokens, keys and certificates an agent uses.
Practitioner guidance
- Map every agent to an accountable owner Create a register that ties each autonomous workflow to a human owner, business purpose and retirement date.
- Inventory agent credentials across all environments Track tokens, API keys, certificates and delegated access used by agents in cloud accounts, SaaS tools and CI/CD systems.
- Apply least privilege at the workflow level Scope access to the specific task, dataset and runtime needed by each agent.
With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security, the question is no longer whether to build controls, but how quickly those controls can span clouds, SaaS and automation pipelines?
👉 Read Microsoft's analysis of Agent 365 and AI agent identity governance →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
11/05/2026 8:42 pm
A few things worth adding from our research at NHI Mgmt Group.
AI agents are becoming a new class of non-human identity, and IAM models built for human users are too narrow to govern them. Agents have permissions, lifecycle events, data access and behavioural variability, which makes them operational identities rather than simple automations. Security teams that treat them as scripts will miss privilege creep, drift and audit gaps. The practical conclusion is that agent governance must sit inside the identity programme, not beside it.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: When should organisations treat an AI agent as a high-risk identity?
A: Treat an AI agent as high-risk when it can move data, trigger production actions, or access multiple systems without direct human oversight. The more environments it spans, the more likely a single misconfiguration can create broad blast radius. In those cases, continuous review is safer than static approval.
👉 Read our full editorial: Microsoft Agent 365 raises the bar on AI agent identity governance
