Notifications
Clear all
Topic starter
09/06/2026 11:10 pm
TL;DR: OWASP's 2026 State of Agentic AI Security and Governance report shifts the conversation from hypothetical risk to real incidents, taxonomy updates, identity considerations, and regulatory context, according to Zenity. The practical issue is that agentic systems collapse human-operator assumptions, so existing IAM and NHI controls must be reassessed for runtime decision-making.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern agent identities differently from service accounts?
A: Security teams should treat agent identities as a separate governance class when the software can choose tools, initiate actions, or continue work without a human approval gate.
Q: Why do human access review processes fail for agentic systems?
A: Human access review processes fail because they assume access persists long enough for a reviewer to observe, certify, and revoke it.
Practitioner guidance
- Separate agent identities from generic machine accounts Inventory which software actors can select tools or initiate actions at runtime, then assign them a governance path that is distinct from ordinary service accounts.
- Reassess approval and review cadences for runtime actions Test whether access reviews, recertification, and manual approval gates can actually intervene before an agent completes a task.
- Add provenance to identity onboarding for agents Track the models, tools, plugins, and upstream dependencies an agent can use before it is allowed into production.
What to expect at the briefing
Zenity's full webinar covers the operational detail this post intentionally leaves for the source:
- Live AMA questions on securing coding agents, enterprise assistants, and autonomous systems in production.
- Discussion of the revised OWASP agent taxonomy and how it changes governance language for identity teams.
- Walkthrough of the new sections on agent identity, AI SBOM, supply chain provenance, and regulatory considerations.
- Direct answers from the report's authors on real incidents and exploits tracked in the 2026 edition.
👉 Register for Zenity's live AMA on OWASP agentic security and governance →
OWASP agentic security in 2026: what changes for IAM teams?
Explore further
10/06/2026 1:24 am
Agent identity is becoming a distinct governance category, not a branding variation of NHI. The article's taxonomy update matters because a coding agent or enterprise assistant can have runtime behaviour that is materially different from a service account holding the same underlying credentials. If teams collapse both into one machine-identity bucket, they miss the need to govern delegated action, tool selection, and execution timing as separate controls. The implication is that IAM and GRC teams need a differentiated control model for agent identities.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: How can organisations prepare for governance of AI agents in production?
A: Organisations should start with ownership, provenance, and runtime scope. That means naming the accountable team, inventorying the tools and dependencies the agent can touch, and setting boundaries that reflect actual execution paths rather than static entitlement lists.
👉 Read our full editorial: OWASP agentic security governance in 2026 raises identity gaps
