Notifications
Clear all
Topic starter
25/06/2026 2:33 pm
TL;DR: AI agent and workload governance are moving into the core IGA and PAM stack as identity platforms now span human and non-human access, including MCP Server and ISPM for AI Agents, according to Saviynt. That shift matters because runtime access, not just provisioning, is now the governance fault line.
NHIMG editorial — based on content published by Saviynt: newsroom overview of The Identity Cloud, Non-Human Identity, Saviynt MCP Server, and ISPM for AI Agents
Questions worth separating out
Q: How should security teams govern AI agents that connect to enterprise tools?
A: Security teams should govern connected AI agents as identity-bearing actors with explicit tool scopes, monitored execution paths, and clear ownership.
Q: Why do MCP-connected systems increase identity risk?
A: MCP-connected systems increase identity risk because they move governance from a single authentication event to a chain of delegated tool actions.
Q: What do IAM teams get wrong about AI agent access?
A: IAM teams often treat AI agents like ordinary automation, which hides the difference between fixed workflows and systems that can choose actions dynamically.
Practitioner guidance
- Classify every AI-connected identity by actor type Separate bounded automation, autonomous agents, service accounts, and human users in the governance model so each receives the right review, approval, and monitoring pattern.
- Inventory MCP-linked tools and downstream permissions Document each tool connection, the identity behind it, and the scope it can trigger across applications and data sources.
- Extend recertification to machine and agent access paths Include service accounts, API tokens, and AI agent credentials in access reviews so hidden privilege does not remain outside governance cycles.
What's in the full article
Saviynt's full newsroom post covers the platform context this analysis intentionally leaves for the source:
- The specific product areas named in the newsroom overview, including The Identity Cloud, Non-Human Identity, Saviynt MCP Server, and ISPM for AI Agents.
- How Saviynt positions those capabilities across human access, machine access, and governance workflows in its own product language.
- The broader company framing behind the announcement, including the use cases and role-based messaging that are not unpacked here.
- The source page's own navigation and product taxonomy, which help place the announcement in Saviynt's wider platform narrative.
👉 Read Saviynt's newsroom overview of MCP and AI agent identity governance →
Saviynt MCP Server and AI agents: what changes for IAM teams?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:42 pm
MCP is becoming an identity governance problem, not just an integration pattern. When protocol-based tool access is used to connect AI systems to enterprise resources, the security question shifts to delegated authority and runtime scope. That means the governance model must account for which tools an identity can call, what data those tools expose, and how far the resulting actions can travel. Practitioners should treat MCP as part of the identity control plane, not a separate AI plumbing layer.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: How can organisations tell whether their identity programme covers machine access properly?
A: A programme covers machine access properly when service accounts, tokens, workload identities, and agent credentials all appear in visibility, review, and offboarding processes. If those identities sit outside standard governance cycles, the programme has a blind spot, even if workforce identity controls are mature.
👉 Read our full editorial: Saviynt's MCP and AI agent identity push raises governance stakes
