Notifications
Clear all
Topic starter
22/06/2026 10:22 am
TL;DR: AI agents are already embedded across enterprise workflows, yet most security teams still lack visibility into decision chains, policy violations, and overprivileged access, according to Zenity and Gartner. Legacy controls built for static applications are not enough once agents can act, choose tools, and move across environments without human pacing.
NHIMG editorial — based on content published by Zenity: Zenity named in two categories in the 2026 Gartner Hype Cycle for Agentic AI
By the numbers:
- 17% of organizations have deployed AI agents so far, but 42% expect to do so in the next 12 months.
Questions worth separating out
Q: How should security teams govern AI agents that can take action across multiple systems?
A: Security teams should govern AI agents with continuous discovery, runtime policy enforcement, and audit trails that capture tool use and data access.
Q: Why do AI agents create a governance gap for IAM and PAM programmes?
A: AI agents create a governance gap because they do not behave like static accounts or human users.
Q: What do security teams get wrong about AI agent access reviews?
A: Security teams often assume an access review can fully explain agent risk, but that only captures the starting entitlement.
Practitioner guidance
- Map every AI agent to an accountable owner Require a named business or technical owner for each agent, including approved tools, data sources, and escalation paths.
- Add runtime policy checks at execution points Place controls where agents act across SaaS, cloud, and endpoint environments so policy can block or constrain unsafe actions in motion.
- Treat decision chains as audit evidence Retain the sequence of prompts, tool calls, data access events, and policy outcomes so investigators can reconstruct what the agent did and why.
What's in the full analysis
Zenity's full post covers the operational detail this post intentionally leaves for the source:
- The product's lifecycle coverage from discovery to response across SaaS, cloud, and endpoint environments
- The vendor's described control model for policy violations, overprivileged access, and runtime prevention
- The specific enterprise deployment example used to show scale across 575,000 resources and more than 200 environments
- The article's product framing around continuous monitoring, guardrails, and governance across AI agents
👉 Read Zenity's analysis of Gartner recognition for AI agent governance →
AI agent governance and runtime control gaps: what teams need now?
Explore further
22/06/2026 11:15 am
AI agent governance has crossed from access management into runtime control. The important shift is that agents are no longer just identities with credentials, they are decision-makers with execution paths. That changes the problem from provisioning and review to continuous behavioural control across tools, data, and environments. Practitioners should treat this as a new control plane requirement, not an extension of legacy IAM.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable when an AI agent exceeds its intended scope?
A: Accountability should sit with the business or technical owner who approved the agent's purpose, controls, and operating boundaries. Security, IAM, and platform teams all have roles, but the owner must be traceable when the agent's actions create risk. That accountability model is essential for audit, investigation, and corrective action.
👉 Read our full editorial: AI agent governance needs a new control plane for runtime risk
