Notifications
Clear all
Topic starter
14/05/2026 4:09 pm
TL;DR: AI agents are becoming part of the enterprise workforce while governance remains human-centric, creating gaps in visibility, ownership, lifecycle management, and trust, according to SailPoint’s Infosecurity Europe 2026 session. The underlying issue is that existing identity controls were not built for autonomous digital workers, so governance must shift from human login assumptions to machine action and accountability.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams govern AI agents as identities?
A: Treat AI agents as non-human identities with ownership, scope, and lifecycle rules.
Q: When does AI agent access become too risky to keep standing?
A: Standing access becomes risky when the agent can act across multiple systems, reuse credentials, or operate beyond the original task.
Q: What is the difference between human IAM and AI workforce governance?
A: Human IAM assumes a person with a predictable session, while AI workforce governance must manage autonomous execution, delegated tool use, and variable context.
Practitioner guidance
- Define AI agent ownership and purpose Assign a named business owner, technical steward, and approved task scope for each agent before it is allowed to act across production systems.
- Enforce short-lived, task-scoped permissions Use just-in-time access and time-bound grants for agent workflows so privileges expire when the task ends or the context changes.
- Track agent lifecycle events end to end Require provisioning, role change, suspension, and decommissioning workflows for every agent credential, token, and certificate.
Teams should expect more pressure to prove continuous oversight of machine identities, not just quarterly review completion?
👉 Read SailPoint's session details on governing the AI workforce at Infosecurity Europe 2026 →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 7:00 pm
A few things worth adding from our research at NHI Mgmt Group.
The AI workforce creates an NHI governance problem, not just an AI governance problem. Once agents can execute tasks, call tools, and move across systems, they become non-human identities with real access consequences. That shifts the security discussion away from model behaviour alone and toward identity ownership, authorization scope, and revocation discipline. The field should treat agent identity as part of core IAM design, not as an add-on to AI policy.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Why do autonomous agents complicate zero trust architecture?
A: Autonomous agents complicate zero trust because they can make repeated decisions and tool calls without human confirmation at each step. Zero trust still applies, but the controls have to shift toward continuous verification, least privilege, and action-level auditability for machine identities.
👉 Read our full editorial: AI workforce governance gaps are widening for autonomous agents
