Notifications
Clear all
Topic starter
14/05/2026 6:58 pm
TL;DR: SailPoint’s Identity Day material argues that static identity controls cannot keep pace with agentic AI, and that governing every user, app, and permission in real time is becoming central to resilience and attack-surface reduction. The practical shift is from periodic access administration to continuous identity governance across human and non-human access paths.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI agents as identities?
A: Treat AI agents as non-human identities with explicit owners, scoped tool access, and immediate revocation paths.
Q: When does adaptive identity matter most for IAM programmes?
A: Adaptive identity matters most when access changes faster than review cycles can keep up, such as in cloud automation, privileged workflows, and agentic AI use cases.
Q: What is the difference between traditional IAM and adaptive identity?
A: Traditional IAM tends to apply fixed rules and scheduled reviews, while adaptive identity uses current context to adjust decisions in near real time.
Practitioner guidance
- Define AI agent governance boundaries Map every agent to an owner, allowed tools, data domains, and revocation trigger before allowing production access.
- Shorten review cycles for high-risk NHIs Move service accounts, API keys, and automation tokens onto risk-based review cadences instead of annual or semiannual checks.
- Tie entitlement changes to incident response Require immediate containment steps when an identity gains unexpected privileges or begins accessing new systems.
The organisations that build that control now will have more room to scale AI later?
👉 Read SailPoint's Identity Day details on adaptive identity and agentic AI →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 7:01 pm
A few things worth adding from our research at NHI Mgmt Group.
Adaptive identity is becoming the organising concept for NHI governance. The old model assumed identities could be reviewed on a cycle and still remain trustworthy. That assumption breaks once service accounts, API keys, and AI agents can change behaviour between reviews. Practitioners should treat continuous governance as the baseline control expectation, not an advanced feature.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation often follows detection.
A question worth separating out:
Q: Should organisations prioritise identity governance before expanding agentic AI?
A: Yes. Organisations should establish ownership, least privilege, monitoring, and revocation for machine identities before broadening agentic AI use. Without those controls, each new agent can multiply blast radius and create shadow access that is hard to unwind after an incident.
👉 Read our full editorial: Identity Day frames adaptive identity for agentic AI risk
