Notifications
Clear all
Topic starter
22/06/2026 10:05 am
TL;DR: As agent-mediated commerce expands and traditional human-centric identity models no longer answer who authorized an action or what the agent was allowed to do, enterprises now need governance for AI agents acting on behalf of customers and partners, including transactional authorization, auditability, KYA verification, and self-service revocation, according to Strivacity. The governance gap is no longer theoretical: identity programmes must account for delegated, non-human action at the customer layer.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- By 2028, Gartner projects that 90% of B2B buying will be AI-agent intermediated, representing more than $15 trillion in B2B spend flowing through AI agent exchanges.
Questions worth separating out
Q: How should security teams govern AI agents acting on behalf of customers or partners?
A: Security teams should govern delegated agents with explicit authorization boundaries, recorded consent, and revocation paths.
Q: Why do AI agents complicate customer identity governance?
A: AI agents complicate customer identity governance because they can act outside the normal human login model while still affecting accounts, transactions, and data.
Q: What breaks when organizations rely on standard session-based access for AI agents?
A: Standard session-based access fails when the agent can make multiple decisions within a single session and the organisation cannot show which actions were authorised.
Practitioner guidance
- Define delegation boundaries for agent actions Map customer and partner agent use cases into explicit allow, deny, and approval-required actions before deployment.
- Bind every agent action to authorising identity Require audit records that capture the agent, the human or system that authorised it, the scope approved, and the outcome observed.
- Add agent onboarding and offboarding controls Treat external agents like governed actors with a lifecycle, including verification before access, periodic review of permissions, and a revocation path that removes authority without breaking unrelated customer access.
What's in the full announcement
Strivacity's full article covers the operational detail this post intentionally leaves for the source:
- Precise capability descriptions for transactional authorization, KYA verification, and unified audit trails.
- How the release fits alongside existing CIAM and partner identity workflows without a platform replacement.
- The vendor's positioning on standards support, including OAuth 2.1, MCP Authorization, PAR, RAR, DPoP, token exchange, ID-JAG, and CIBA.
- Context on how the product extends customer identity and consent management into agentic use cases.
👉 Read Strivacity's announcement on agentic identity governance for AI agents →
Agentic identity governance: what changes for customer and partner access?
Explore further
22/06/2026 10:50 am
Agentic identity is now a customer governance problem, not just an authentication problem. Once an AI agent can act on behalf of a customer or partner, the identity programme has to govern delegation, consent, and accountability together. That shifts the centre of gravity from login to authorised action, which is where most CIAM stacks were never designed to operate. Practitioners need to treat delegated machine action as a first-class identity event.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent performs an unauthorised action?
A: Accountability should be assigned to the authorising party, the controlling organisation, and the governance process that allowed the scope to exist. If the organisation cannot prove who approved the action and what limits were in force, it does not have sufficient identity governance for agentic access.
👉 Read our full editorial: Agentic identity governance now extends to customer and partner actions
