Notifications
Clear all
Topic starter
12/06/2026 9:45 pm
TL;DR: AI agents are creating a security blind spot because 80% of organisations report agent actions beyond intended scope and only 52% can track the data those agents access, according to SailPoint research. The governance problem is no longer theoretical: access review and compliance models assume access stays stable long enough to observe, but autonomous behaviour collapses that window.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams govern AI agents that can act across multiple systems?
A: Security teams should treat AI agents as governed non-human identities with owners, scope, and lifecycle controls.
Q: Why do AI agents create more identity risk than ordinary automation?
A: AI agents can choose actions at runtime, which means their behaviour may diverge from the original approval intent.
Practitioner guidance
- Establish a complete inventory of AI-facing identities Record every sanctioned AI tool, agent, service account, token, and API credential with a named owner and business purpose.
- Bind review cadence to agent activity signals Replace purely periodic access reviews with event-based triggers when an agent touches sensitive systems, changes scope, or accesses new datasets.
- Separate sanctioned automation from unsanctioned agents Define policy that distinguishes approved non-human identities from ad hoc AI tools used by teams, then enforce discovery controls across cloud, SaaS, and workflow platforms.
What to expect at the briefing
SailPoint's full event briefing covers the operational detail this post intentionally leaves for the source:
- The live session framing for shadow AI and AI agent governance across human, machine, and non-human identities.
- The booth conversation guide for discovering, governing, and securing identities as their access patterns evolve.
- The theatre session positioning on taming shadow AI and securing the non-human workforce.
- The event context for how SailPoint wants practitioners to think about adaptive identity in agentic environments.
👉 Register for SailPoint's Gartner SRM 2026 session on shadow AI and NHI governance →
AI agent governance is outpacing identity controls at Gartner SRM 2026?
Explore further
13/06/2026 12:04 am
Shadow AI is an identity governance problem before it is an AI security problem. The article describes unsanctioned AI tools and agent swarms, but the deeper issue is that security teams are inheriting identities they did not design, approve, or inventory. Once those identities can act with privilege, the programme loses lifecycle control, recertification loses coverage, and accountability becomes fragmented. Practitioners should treat shadow AI as unmanaged identity sprawl with consequences for access governance.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable for AI agent access when an incident occurs?
A: Accountability sits with the business owner of the agent, the team that approved its access, and the identity function that enforced or failed to enforce lifecycle controls. If the agent was unsanctioned, the accountability gap itself becomes the finding. Governance frameworks should make ownership explicit before production use.
👉 Read our full editorial: AI agent governance is outpacing identity controls at Gartner SRM 2026
