TL;DR: Enterprise AI is moving from model governance to action governance as agents access tools, move data and execute workflows in real time, according to OneTrust. That shift makes continuous oversight, runtime guardrails and observability the practical foundation for trusted autonomy, not periodic review.
NHIMG editorial — based on content published by OneTrust: Agents Governing Agents: the Next Evolution of AI Governance
Questions worth separating out
Q: How should security teams govern AI agents that can take actions in production systems?
A: Start by treating each agent as a scoped machine identity with explicit permissions, not as a generic automation feature.
Q: Why do AI agents create new identity governance risks for enterprises?
A: AI agents can authenticate, delegate and execute across systems, which means they inherit both privilege and responsibility.
Q: What breaks when observability is missing from agentic AI governance?
A: Without action-level observability, teams cannot prove which data an agent used, which tool it called or why a policy decision was made.
Practitioner guidance
- Define runtime policy boundaries for every agent Document which data sources, APIs, approval flows and internal tools each agent can use, then bind those permissions to task scope rather than broad role assignment.
- Treat agent credentials as governed NHI assets Inventory agent tokens, service accounts and automation credentials as non-human identities, then apply short-lived access, rotation and offboarding controls to each one.
- Build action-level observability into the AI control plane Capture prompt context, tool calls, policy decisions and downstream actions so security, audit and AI governance teams can reconstruct every significant agent decision.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor maps autonomous oversight into an AI governance operating model and what that means for control ownership.
- Examples of runtime guardrails, policy enforcement and observability concepts that practitioners can adapt to production workflows.
- The semantic-layer and context-infrastructure arguments that underpin the vendor's view of trustworthy autonomous systems.
- The leadership framing for CDOs and CAIOs as AI governance expands into operational execution.
👉 Read OneTrust's blog on governing agents and autonomous AI oversight →
AI agent governance is shifting to runtime control and observability?
Explore further
Runtime control is becoming the dividing line between usable and ungoverned AI. Static model review cannot keep pace with agents that decide when to act, which tools to call and what data to move. That turns governance into a live control problem, not a documentation exercise. For the field, the important shift is that policy must be enforced where action occurs, not only where risk is assessed.
A question worth separating out:
Q: Who should be accountable when an AI agent makes an unauthorised decision?
A: Accountability should sit with the business and technical owners who approved the agent’s scope, access and controls, not with the automation itself. Security, AI and data leaders need a named owner for policy, exception handling and post-incident review. If responsibility is unclear, governance becomes symbolic and exceptions will accumulate outside control.
👉 Read our full editorial: AI agent governance is shifting from model review to runtime control