Notifications
Clear all
Topic starter
11/06/2026 10:51 pm
TL;DR: Enterprises are treating human, machine, and AI-agent identities as a single control problem, with identity becoming a live control plane for delegated authority and continuous verification, according to SecureAuth. The implication is that static access checks are no longer enough when agents can read data, move money, and change systems.
NHIMG editorial — based on content published by SecureAuth: leadership update on AI, machine, and AI-agent identity security
Questions worth separating out
Q: How should security teams govern AI agents that act on behalf of users?
A: They should govern AI agents as delegated identities with explicit action boundaries, named ownership, and continuous verification for high-risk operations.
Q: Why do AI agents change existing IAM assumptions?
A: AI agents change IAM assumptions because access is no longer a stable state that can be granted, reviewed, and trusted over a session.
Q: What breaks when human, machine, and AI-agent identities are managed separately?
A: Separate management creates blind spots around delegation, ownership, and revocation.
Practitioner guidance
- Define runtime authority boundaries Map which actions AI agents, service accounts, and human users can initiate without additional approval, then separate read, write, and destructive permissions at the workflow level.
- Unify governance across identity types Bring human IAM, NHI governance, and AI-agent oversight into one access model so that delegation, review, and revocation follow the same control logic.
- Tighten delegated access review Review every identity that can act on behalf of another identity, including agent-to-service and human-to-agent chains, and document the accountable owner for each path.
What's in the full analysis
SecureAuth's full announcement covers the operational detail this post intentionally leaves for the source:
- How the company describes its AI-driven identity security platform and the control model behind it
- The leadership transition details and the stated rationale for the CEO appointment
- How SecureAuth positions its continuous authentication and authorization concepts across workforce, customer, and agentic identities
- The vendor's own explanation of the Microperimeter Authorizer and BCIA capabilities
👉 Read SecureAuth's leadership update on AI-agent and machine identity security →
AI agent identity governance is shifting from login checks to control?
Explore further
12/06/2026 7:14 am
AI-agent governance is forcing identity teams to rethink what access means. When software can act on behalf of people and other services, identity stops being a login event and becomes an operating model for delegated authority. That changes the control objective from granting access to bounding action, which is why agentic AI belongs in IAM strategy, not in a separate innovation track. Practitioners should treat this as a redesign of the access model, not a product upgrade.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should organisations do when AI agents can change systems or move money?
A: They should require stronger approval gates, per-action policy checks, and explicit break-glass controls for sensitive operations. High-impact actions need controls that verify the current context and the accountable owner before execution. That reduces the chance that delegated authority becomes open-ended authority.
👉 Read our full editorial: AI agent identity is becoming a live control plane for access
