Notifications
Clear all
Topic starter
08/06/2026 4:16 pm
TL;DR: AI agents are spreading across enterprise SaaS, cloud, and endpoint environments, with more than 80% of Fortune 500 companies already deploying autonomous systems, according to Zenity; Gartner naming Zenity a Cool Vendor in Agentic AI TRiSM reflects a wider shift. The security problem is no longer prompt filtering, but governing what agents can access, decide, and do in real time.
NHIMG editorial — based on content published by Zenity: Zenity named a 2025 Cool Vendor in Gartner’s Agentic AI TRiSM report
By the numbers:
- Over 80% of Fortune 500 companies are already deploying these autonomous systems, oftentimes without adequate security guardrails.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: What does agentic AI TRiSM mean for IAM and NHI teams?
A: It means governance can no longer stop at authentication and static entitlements.
Q: Why do autonomous AI agents create more risk than ordinary automation?
A: Ordinary automation follows predefined rules, but autonomous agents can choose actions and sequence them dynamically.
Q: How should security teams govern AI agents that touch sensitive data?
A: They should treat each agent as a non-human identity with explicit ownership, least-privilege tool access, and telemetry on actual behaviour.
Practitioner guidance
- Map every agent to a named business owner Document who approves deployment, who reviews ongoing access, and who can remove the agent when risk changes.
- Review tool access as a separate control surface Inventory which tools, APIs, databases, and SaaS systems each agent can invoke, then narrow those permissions to the smallest workable set.
- Monitor agent execution paths, not just prompts Capture the sequence of calls, data touches, and outbound actions so you can see what the agent actually did.
What's in the full analysis
Zenity's full blog post covers the operational detail this post intentionally leaves for the source:
- How Zenity maps agent discovery across SaaS, cloud, and endpoint environments into its lifecycle model.
- How its step-level monitoring and prevention logic is positioned for real-time agent behaviour analysis.
- How the AgentFlayer research is translated into detection rules and prevention capabilities.
- What the AI Agent Security Summit is intended to cover for practitioners building agent governance programmes.
👉 Read Zenity's analysis of Gartner's agentic AI TRiSM recognition and AI agent governance →
Agentic AI TRiSM and NHI governance: what changes for teams?
Explore further
08/06/2026 5:49 pm
AI agent governance is no longer a subset of application security. Once software can select tools, chain actions, and operate across enterprise systems, the control problem becomes identity-centric. The important question is not whether the prompt was safe, but whether the actor had the right to assemble a harmful workflow in the first place. Practitioners should treat this as a governance boundary shift, not a tooling upgrade.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- In the same research, 80% of organisations report that their AI agents have already acted beyond intended scope, including 39% that saw access to unauthorised systems and 23% that saw revealed access credentials.
A question worth separating out:
Q: What should organisations do when AI agent behaviour exceeds intended scope?
A: They should pause the specific agent workflow, inspect the connectors and permissions that enabled the behaviour, and compare the observed actions to the approved business purpose. If the agent crossed trust boundaries, the governance model failed to constrain execution, not just access.
👉 Read our full editorial: Gartner’s agentic AI TRiSM signal widens the NHI governance gap
