Notifications
Clear all
Topic starter
14/05/2026 7:38 pm
TL;DR: AI governance is lagging adoption, and organizations are increasingly embedding AI systems and agents across workflows, products, and decisions, creating unmanaged risk at scale according to Delinea. Responsible AI governance is becoming a business requirement, not a policy exercise, because machine identities and agent access now sit inside core security and compliance controls.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should teams operationalize AI governance inside existing IAM and GRC programs?
A: Start by treating AI systems and agents as governed identities with named owners, scoped privileges, and revocation rules.
Q: Why do AI agents create special identity and access risk?
A: AI agents can authenticate, call tools, and take actions without a human in the loop for each step, which expands the attack surface beyond ordinary user access.
Q: What is the difference between AI policy and AI governance?
A: AI policy states what the organization wants to allow, while AI governance enforces how those rules work in practice through ownership, access control, logging, and review.
Practitioner guidance
- Inventory AI agents and machine identities Build a current register of all AI systems, agents, service accounts, tokens, and API keys that can act on behalf of the business.
- Bind agent access to least privilege Limit each agent to task-scoped permissions, short-lived credentials, and explicit approval paths for higher-risk actions.
- Extend GRC controls into runtime evidence Require logging, policy exceptions, and access review evidence for agent actions inside existing audit and risk workflows.
The programme implication is clear: align AI control owners with IAM and PAM owners now, before agent sprawl makes entitlement mapping unmanageable?
👉 Watch Delinea's webinar on enterprise AI governance and agent risk →
Explore further
14/05/2026 7:39 pm
A few things worth adding from our research at NHI Mgmt Group.
AI governance has become an NHI governance problem, not a policy-only problem. Once agents can execute actions and hold credentials, the control question shifts from acceptable use to identity assurance, entitlement scope, and revocation. That changes the operating model for security, IAM, and GRC teams because AI oversight must be enforced in systems, not just documented in policy. Practitioners should treat AI governance as a governed identity lifecycle.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: Should organisations prioritize securing machine identities before expanding agentic AI use?
A: Yes. If agent identities, tokens, and service accounts are not tightly governed, expanding agentic AI increases the blast radius of every mistake or compromise. Security teams should establish inventory, least privilege, lifecycle control, and revocation paths before scaling deployment.
👉 Read our full editorial: AI governance gaps in agentic systems expose identity risk
