TL;DR: Agentic AI is forcing identity security, governance, and compliance teams to rethink control models as machine and human access patterns converge, according to Pathlock. The underlying issue is that IAM programmes built for static entitlements and review cycles do not fit runtime decision-making by autonomous systems.
NHIMG editorial — based on content published by Pathlock: Pathlock CEO Talks Identity in the AI Era
Questions worth separating out
Q: What breaks when agentic AI is governed like a normal application?
A: Normal application governance assumes the system follows a fixed path once access is granted.
Q: Why do agentic AI systems complicate IAM and IGA programmes?
A: They complicate IAM and IGA because the actor can exercise access dynamically rather than through a stable, human-paced workflow.
Q: How should organisations govern privileged access for AI-driven workflows?
A: They should treat AI-driven workflows as bounded execution paths with explicit approval, logging, and scope limits.
Practitioner guidance
- Map agentic decision points Identify every workflow where an AI system can choose actions, tools, or timing without a human approval gate.
- Separate reviewable access from runtime use Update access review processes so they distinguish between permission to act and actual execution by the actor.
- Bound privileged AI workflows Define explicit ceilings for delegated privilege, approved tool sets, and task scope before deploying agentic systems into production.
What's in the full analysis
Pathlock's full interview covers the operational detail this post intentionally leaves for the source:
- The CEO’s direct commentary on how agentic AI is changing enterprise governance and compliance priorities.
- The original Channel Insider interview context and quoted remarks from Damon Tompkins.
- The vendor’s framing of identity security implications for channel partners and enterprise programmes.
- The business context behind why identity security is being discussed in the AI era.
👉 Read Pathlock's interview on identity security in the AI era →
Agentic AI and identity security in the AI era: what changes?
Explore further
Agentic AI turns identity from a static entitlement problem into a runtime governance problem. The key shift is that access is no longer just granted and reviewed, it is exercised by an actor that can decide how to proceed inside the workflow. That changes the control question from entitlement ownership to decision authority. Practitioners should reframe governance around runtime behaviour, not only access records.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when an autonomous AI system acts outside intent?
A: Accountability should remain with the business owner of the workflow, the team that approved the AI’s privileges, and the control owners responsible for monitoring. If those roles are unclear, the governance model is already too weak. Autonomous behaviour does not remove accountability, it exposes where it was never assigned.
👉 Read our full editorial: Pathlock CEO on identity security in the AI era