Notifications
Clear all
Topic starter
08/06/2026 4:16 pm
TL;DR: The governance issue is no longer whether agents will be deployed, but whether identity and runtime controls can keep up with their cross-system reach, alongside Zenity’s recognition as a Gartner Cool Vendor in Agentic AI TRiSM and its claim to secure AI agents across SaaS apps, custom platforms, and end user devices, while its labs cite AgentFlayer zero-click exploit chains as evidence that agent compromise can be silent and fast.
NHIMG editorial — based on content published by Zenity: Zenity Named Gartner Cool Vendor in Agentic AI TRiSM
Questions worth separating out
Q: How should security teams govern AI agents that operate across multiple platforms?
A: Security teams should govern AI agents as delegated actors with cross-platform reach, not as isolated workloads.
Q: Why do AI agents create more identity risk than traditional automation?
A: AI agents create more identity risk because they can decide which actions to take and when to take them, rather than following a fixed script.
Q: How do teams know if agent security controls are actually working?
A: Controls are working only if teams can see and explain the agent’s runtime behaviour, not just its provisioning state.
Practitioner guidance
- Separate agent governance from generic workload controls Create a distinct control set for AI agents that tracks runtime decisions, tool permissions, and cross-platform delegation.
- Inventory delegated access across every agent touchpoint Map the full chain across SaaS applications, custom agent platforms, and end user devices so inherited permissions are visible in one place.
- Monitor for silent action-chain abuse Add detections for unusual agent sequencing, unexpected tool use, and cross-system actions that occur without a corresponding human trigger.
What's in the full analysis
Zenity's full article covers the operational detail this post intentionally leaves for the source:
- Supported environment coverage across Microsoft 365 Copilot, ChatGPT Enterprise, Salesforce Agentforce, AWS Bedrock, and Google Vertex.
- Zenity Labs' AgentFlayer findings and the exploit-chain patterns that informed its agent-security framing.
- Vendor positioning on how enterprises operationalise AI responsibility across specific deployment surfaces.
- Additional context on the company's platform scope and how it describes agent governance across ecosystems.
👉 Read Zenity's analysis of Agentic AI TRiSM and AI agent governance →
Agentic AI TRiSM: what it means for AI agent governance teams?
Explore further
08/06/2026 5:49 pm
Agentic AI security is becoming a distinct identity discipline, not an extension of classic workload control. Agents do not behave like ordinary service accounts because they make runtime decisions, chain tools, and cross trust boundaries. That changes the governance question from fixed entitlement review to continuous control of delegated action. Practitioners should treat agent security as its own operating model within IAM and NHI governance.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: What does agentic AI TRiSM mean for existing IAM and NHI programmes?
A: It means IAM and NHI teams need to extend governance from identity issuance to identity behaviour. Existing programmes should keep handling credential lifecycle, but they also need to account for autonomous tool use, delegated access chains, and runtime risk. That is a shift from managing accounts to managing action paths.
👉 Read our full editorial: Agentic AI TRiSM and agent security governance are moving mainstream
