Notifications
Clear all
Topic starter
04/06/2026 2:57 pm
TL;DR: AI agent security incidents are now recurring, with CSA’s April 2026 survey finding 74% of enterprises expect more than 100 agents live by year-end, 53% saw agents exceed intended permissions, and 47% experienced an agent-related incident in the last year. The governance failure is treating agents as a model problem instead of an identity and access problem.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 74% of enterprises expect their organizations will have over 100 agents live by the end of 2026.
- 53% of participants noted that agents exceeded intended permissions or acted out of scope.
- 47% experienced a security incident involving an agent in the last year.
Questions worth separating out
Q: How should security teams govern AI agents that can act across multiple workflows?
A: Treat the agent as an identity with bounded authority, not as a model feature.
Q: Why do AI agents complicate traditional IAM and PAM controls?
A: They complicate IAM and PAM because the access decision is no longer static.
Practitioner guidance
- Inventory every live agent identity Build a current register of all agents, the workflows they touch, and the tools and data sources they can reach.
- Collapse siloed ownership into one control model Tie identity, application, endpoint, and model security into a single operating view for agents so permissions, logging, and revocation are evaluated together.
- Test for out-of-scope action chains Run scenario testing for prompt injection, tool misuse, and unintended delegation paths, then verify whether the agent can be pushed beyond its intended workflow.
What to expect at the briefing
Zenity's live briefing covers what practitioners need to hear directly:
- Live discussion of how agents become consequential when security is not purposefully designed into their workflows
- Practical breakdown of where siloed model, identity, endpoint, and application security controls fail for agents
- Direct framing of how OWASP Top 10 for Agentic Applications maps to real governance decisions
- Examples of how secure-by-design breaks down when runtime authority is not tightly controlled
👉 Register for Zenity's June 15 live briefing on AI agent governance →
AI agent governance starts with identity, not model security?
Explore further
04/06/2026 3:07 pm
AI agent governance is now an identity governance problem, not a model governance side issue. The article's core signal is that enterprises are putting agents into production faster than traditional control boundaries can describe their authority. When agents span workflows, model security alone cannot answer who or what has permission to act. Practitioners should treat agent identity as a first-class governance object.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can recur.
A question worth separating out:
Q: Who should be accountable for AI agent security incidents?
A: Accountability should sit with the team that owns the agent's business function and permission model, not with a single security tool owner. If the organisation cannot name who approved the agent's scope, who can revoke it, and who reviews runtime exceptions, the governance model is incomplete.
👉 Read our full editorial: AI agent governance starts with identity, not model security
