Notifications
Clear all
Topic starter
04/06/2026 6:47 pm
TL;DR: AI agents are projected to appear in 40% of enterprise applications by 2026, up from less than 5% in 2025, while the NIST AI Risk Management Framework remains a voluntary operating model that does not itself deliver runtime control, according to WitnessAI. The gap is structural: governance built around human-paced review cycles cannot fully manage autonomous behaviour, shadow AI, or audit-defensible enforcement.
NHIMG editorial — based on content published by WitnessAI: analysis of the NIST AI Risk Management Framework and its operational gaps
By the numbers:
- 40% of enterprise applications will include AI agents by 2026, up from less than 5% in 2025.
Questions worth separating out
Q: How should security teams govern AI agents that act like non-human identities?
A: Security teams should govern AI agents as runtime identity actors when those systems can select tools, chain actions, and execute without approval gates.
Q: Why does shadow AI create a governance gap for IAM and security teams?
A: Shadow AI creates a governance gap because organizations cannot manage systems they do not reliably see.
Q: What breaks when agentic AI is managed with human-style review cycles?
A: Human-style review cycles break when the actor can make and complete decisions faster than a reviewer can observe them.
Practitioner guidance
- Build a living AI inventory Track sanctioned and unsanctioned AI tools, agent connectors, plugins, and model endpoints as a continuously updated record.
- Define runtime policy boundaries for agentic systems Set explicit limits on action chaining, tool use, escalation, and data access before agents are placed in production.
- Separate governance evidence from governance intent Collect audit trails that show what the AI system actually did, what data it touched, and which policy decision was enforced at runtime.
What's in the full article
WitnessAI's full article covers the operational detail this post intentionally leaves for the source:
- A fuller breakdown of how WitnessAI maps its platform features to NIST AI RMF functions and implementation gaps
- Specific examples of runtime controls for prompt injection, sensitive data redaction, and policy routing
- Detailed discussion of audit trails, SOC 2 Type II positioning, and how the platform captures AI interaction evidence
👉 Read WitnessAI's analysis of NIST AI RMF gaps for shadow AI and agents →
NIST AI RMF and AI agents: where governance is already lagging?
Explore further
04/06/2026 6:59 pm
AI governance built only as a framework exercise fails when execution moves faster than review. The NIST AI RMF is structurally useful, but it does not close the gap between policy intent and runtime enforcement. When AI use spreads faster than governance can inventory, monitor, and constrain it, the result is not compliance maturity but a widening control delta. Practitioners should treat framework alignment as a starting point, not proof of operational control.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- In the same research, enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: How can organisations prove AI governance to auditors and boards?
A: Organisations prove AI governance by producing evidence that the control operated, not just that a policy existed. That evidence should include inventory records, runtime logs, policy decisions, and escalation handling for both sanctioned and unsanctioned AI use. Framework alignment helps, but auditors and boards usually want demonstrable execution, not framework language alone.
👉 Read our full editorial: NIST AI RMF falls short as agents outpace governance
