Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent security in the enterprise: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI agents already operate with credentials, tool access, and real execution authority across sensitive systems, according to Zenity’s guide, as enterprise AI spans distinct deployment archetypes. The governance problem is no longer theoretical: access review, privilege control, and runtime oversight all need to account for autonomous behaviour, not just prompts.

NHIMG editorial — here’s why we think this discussion matters

Questions worth separating out

Q: How should security teams govern AI agents that can act on production systems?

A: Treat each agent as a governed identity with a named owner, issued credentials, approved tools, and a clear task boundary.

Q: Why do AI agents complicate existing IAM and PAM controls?

A: Because IAM and PAM were built around stable identities and predictable approval flows, while agents can make runtime decisions and invoke tools dynamically.

Practitioner guidance

  • Inventory every production AI agent Record the agent owner, issuing system, credential type, connected tools, and the business process it can affect.
  • Move authorisation to the tool layer Evaluate each agent action at execution time, with policy based on destination system, data sensitivity, and task context.
  • Apply lifecycle controls to agent identities Require joiner, mover, and leaver handling for agents, including prompt changes, permission changes, workflow changes, and retirement.

What to expect at the briefing

Zenity's full article covers the operational detail this post intentionally leaves for the source:

  • How Zenity maps agent behaviour to runtime security decisions across enterprise workflows
  • The specific integration pattern used to inspect context and tool invocations before execution
  • The article's breakdown of deployment archetypes and how each changes the attack surface
  • The operational examples behind the governance mindset for securing agentic AI at scale

👉 Read Zenity's analysis of AI agent security and enterprise governance →

AI agent security in the enterprise: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI agent governance is now an identity problem, not a model problem. The article describes agents that are authorised, credentialed, and active inside enterprise systems, which moves the security question from output quality to identity control. That shift matters because IAM, PAM, and NHI controls were built to govern who can do what, not merely to filter what a model says. Practitioners should treat agent identity as the primary control plane.

A few things that frame the scale:

A question worth separating out:

Q: How can organisations tell whether agent governance is actually working?

A: Look for evidence that every production agent has an owner, a current purpose, a bounded tool set, and a defined retirement path. If agents remain active after the workflow changes, or if nobody can explain which actions they are authorised to take, governance is failing even if logs exist.

👉 Read our full editorial: AI agent security in the enterprise starts with governance



   
ReplyQuote
Share: