Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI governance and runtime control: what CISOs need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Agentic AI governance must move from committee-based oversight to runtime control because these systems initiate actions, access data, and influence workflows during the session, according to OneTrust. The governance problem is no longer model validation alone but continuous control over what AI systems can do, see, and trigger.

NHIMG editorial — based on content published by OneTrust: Agentic AI Governance: What CISOs Must Control Now

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can access enterprise systems?

A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped privileges, and continuous monitoring.

Q: Why do autonomous agents create a bigger governance problem than chat-based AI assistants?

A: Chat-based assistants usually begin with a visible human prompt, so the initiation point is easier to govern and audit.

Q: What do organisations get wrong about governing AI use?

A: They often separate AI governance from IAM and lifecycle management, even though AI adoption depends on who can access tools, what data those tools can reach, and how access ends.

Practitioner guidance

  • Define runtime policy boundaries for every AI agent Map each agent to explicit rules for what data it can access, what systems it can call, and which actions require human or machine approval before execution.
  • Instrument end-to-end action logging for agent sessions Capture tool calls, data reads, workflow triggers, and downstream system changes in a single audit trail so security, legal, and operations can reconstruct what the agent actually did.
  • Treat AI agents as governed identities Assign ownership, lifecycle review, access review, and decommissioning rules to each agent the same way you would for a privileged service account or workload identity.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • The step-by-step governance operating model for runtime AI controls across access, observability, and approvals.
  • The article's examples of how agents governing agents changes oversight design for security teams.
  • The practical breakdown of which control areas CISOs should prioritise first when building an AI governance plane.

👉 Read OneTrust's analysis of agentic AI governance and runtime control →

Agentic AI governance and runtime control: what CISOs need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Agentic AI governance is now an identity and authorisation problem. Once systems can initiate actions, the key question is no longer whether the model is accurate but whether the runtime actor is allowed to do what it is doing. That makes policy scope, delegated authority, and session-level traceability central controls. Practitioners should treat agentic AI as a governed identity surface, not a content-generation feature.

A question worth separating out:

Q: Who should be accountable when an AI agent causes a security incident?

A: Accountability should sit with the human owner, platform team, or business function that granted and operated the agent. The identity may act independently, but governance cannot detach responsibility from the delegation chain. Programs should define ownership, escalation, and remediation paths before deployment so responsibility is clear when the agent's behaviour changes.

👉 Read our full editorial: Agentic AI governance must shift from oversight to runtime control



   
ReplyQuote
Share: