Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent decision-level security at Black Hat USA 2026


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: AI agents are increasingly a governance problem at the decision layer, with the AI Summit on August 4 highlighting how agents can reach corporate data, actions, triggers, and other systems across SaaS, cloud, and endpoints, according to Zenity. The practical takeaway is that agent security now has to assume runtime decision-making, not just credential management.

NHIMG editorial — here’s why we think this discussion matters

Questions worth separating out

Q: How should security teams govern AI agents that can make runtime decisions?

A: Security teams should govern AI agents at the decision layer by defining where the agent can act, what it can choose, and which downstream tools require policy checks before execution.

Q: What breaks when AI agents are treated like ordinary service accounts?

A: Treating AI agents like ordinary service accounts breaks because the agent can adapt its next move, chain actions, and interact with multiple systems in a single workflow.

Practitioner guidance

  • Inventory every AI agent identity and execution surface Document which agents operate in SaaS, cloud, and endpoint environments, then map each one to the data sources, applications, and triggers it can reach.
  • Define decision checkpoints for high-risk agent actions Require policy enforcement before an agent can call tools, trigger downstream workflows, or hand tasks to another agent.
  • Restrict chained and recursive agent workflows Review whether one agent can trigger another without human oversight, then block paths that can create uncontrolled follow-on execution.

What to expect at the briefing

Zenity's full event promotion covers the operational detail this post intentionally leaves for the source:

  • Booth #5521 demo details showing how the platform frames decision-level AI agent security across SaaS, cloud, and endpoint environments.
  • The AI Summit on August 4 with researcher-led talks and main-stage sessions on AI security and governance.
  • Community events, briefings, and OWASP participation details for practitioners who want the conference schedule and networking context.
  • The vendor's positioning on securing agents in enterprise workflows and the specific meeting opportunities available at Black Hat USA.

👉 Read Zenity's Black Hat USA 2026 briefing on AI agent decision-level security →

AI agent decision-level security at Black Hat USA 2026?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Decision-level governance is now the right security boundary for AI agents. The source is not really about event logistics. It is about the fact that agent behaviour is defined by runtime decisions that can fan out across data, tools, and workflows. Traditional entitlement management is still necessary, but it is no longer sufficient when the risky act is the choice itself rather than the permission alone. Practitioners should treat the decision point as the unit of governance.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why governance assumptions break down once real workflows hit production.

A question worth separating out:

Q: Who is accountable when an AI agent triggers an unintended action?

A: Accountability should sit with the team that approved the agent's operating scope, policy, and connected systems, because the agent acted within a delegated governance model. Organisations need clear ownership for the agent identity, its approval path, and its monitored execution surface. Without that, incident response becomes a debate over ownership instead of containment.

👉 Read our full editorial: AI agent governance at Black Hat USA 2026 needs decision-level controls



   
ReplyQuote
Share: