TL;DR: As the EU AI Act enters enforcement on August 2, 2026, deployers face a visibility and governance problem: many cannot reliably identify where AI agents run, what data they can access, or what actions they can take, according to Zenity. That gap makes continuous monitoring and action inventory a compliance issue, not just an operational one.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI agents under the EU AI Act?
A: Security teams should govern AI agents as managed identities with explicit owners, defined access, and continuous monitoring.
Q: Why do AI agents create governance problems for IAM teams?
A: AI agents create governance problems because their access can span multiple platforms, data sets, and tools, while their behaviour changes after deployment.
Practitioner guidance
- Inventory every AI agent and its control scope Create a living register of all agents, their owners, the platforms they run in, and the data and tools they can reach.
- Separate approval from monitoring Treat initial approval as a starting gate only.
- Define evidence for agent accountability Require named ownership, escalation paths, and review cadence for each agent identity.
What to expect at the briefing
Zenity's full on-demand webinar covers the operational detail this post intentionally leaves for the source:
- A practical 10-week action plan for deployers assessing and monitoring AI agents across their environment.
- Direct commentary from Zenity speakers on how the EU AI Act affects global deployment teams and governance workflows.
- Guidance on taking inventory of agents, their access paths, and the actions they are allowed to perform.
- A forward look at likely regulatory pressure from other legislative bodies affecting AI deployments.
👉 Watch Zenity's on-demand webinar on EU AI Act deployment and AI agent governance →
EU AI Act enforcement on Aug. 2, 2026: are agent controls ready?
Explore further
Agent visibility has become the first test of AI governance readiness. The article points to a familiar failure mode in a new setting: organisations can deploy AI agents faster than they can enumerate them. That creates governance blind spots across cloud platforms, embedded workflows, and business applications. The practical conclusion is that identity inventory is now a prerequisite for AI deployment, not a post-deployment clean-up task.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who should be accountable for AI agent behaviour after deployment?
A: Accountability should sit with both the business owner and the technical owner of the agent identity, backed by clear review and escalation paths. If ownership is informal, governance becomes fragmented and the organisation cannot demonstrate who approved access, who monitors drift, or who can intervene when behaviour changes.
👉 Read our full editorial: EU AI Act deployment pressure is exposing agent governance gaps