Notifications
Clear all
Topic starter
14/05/2026 6:53 pm
TL;DR: AI governance is already lagging because 63% of organisations lack formal policies and AI tools are being connected to business systems by departments outside IT, according to IBM’s Cost of a Data Breach report. The governance problem is identity visibility, not model policy, and the inventory gap will define incident response, audit readiness, and access control.
NHIMG editorial — based on content published by Clarity Security: Who Governs AI? Why Identity Governance Should Come Before AI Adoption
By the numbers:
- 63% of organisations lack formal AI governance policies, according to IBM’s Cost of a Data Breach report.
- The average enterprise today has a 144:1 ratio of non-human to human identities, according to Clarity Security.
- 97% of organizations that reported an AI-related breach lacked proper AI access controls at the time of the incident, according to Clarity Security.
Questions worth separating out
Q: How should security teams govern AI-connected non-human identities?
A: Treat them like first-class identities with owners, scope, logging, and retirement conditions.
Q: Why do traditional IAM and IGA processes miss AI governance gaps?
A: They are built around human lifecycle events such as joiner, mover, and leaver.
Q: What is the difference between human identity governance and NHI governance for AI tools?
A: Human identity governance assumes a person, a manager, and a clear employment lifecycle.
Practitioner guidance
- Build a live AI-connected identity inventory Scan cloud, SaaS, and workflow platforms for service accounts, OAuth apps, API tokens, bots, and agent credentials that were created outside standard onboarding.
- Extend access reviews beyond human users Add non-human identities to certification, but do not rely on quarterly review alone.
- Enforce least privilege on every AI integration Grant only the minimum access required for the task, and separate read from write where the workflow allows it.
Teams that can enumerate AI-connected identities will be able to govern adoption without slowing it to a halt?
👉 Read Clarity Security's analysis of AI governance and non-human identity risk →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:54 pm
AI governance is now an NHI governance problem, not a policy exercise. The article is correct to push the conversation away from abstract AI risk and toward identity control. Once a tool can touch customer data or business systems, it becomes an access subject that needs provisioning, monitoring, and retirement. The discipline that matters is the one that can inventory and govern that access end to end.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: When does AI adoption create more identity risk than value?
A: Risk rises when teams can connect AI tools faster than they can inventory, review, and revoke their access. If the organisation cannot answer who provisioned the identity, what it can reach, and when it will be removed, the governance debt is already overtaking the benefit.
👉 Read our full editorial: AI governance fails when non-human identity inventory is missing
