Notifications
Clear all
Topic starter
09/06/2026 11:48 pm
TL;DR: 91% of AI agents are over-privileged, 78% of AI deployments have no audit trail, and 64% of organisations cannot detect shadow AI agents, underscoring why one-time login checks do not govern agentic behaviour, according to SecureAuth. Identity programmes now need continuous authorization, attribution, and audit because autonomous action changes the control problem, not just the threat surface.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 91% of AI agents are over-privileged
- 78% of AI deployments have no audit trail
- 64% of organizations cannot detect shadow AI agents
Questions worth separating out
Q: How should security teams govern AI agents that can take actions on their own?
A: Treat each agent action as a separate authorization decision.
Q: Why do AI agents create more access risk than traditional service accounts?
A: AI agents can choose actions dynamically and chain tool use in ways that static service accounts do not.
Q: How do organisations know if AI agent controls are actually working?
A: Look for evidence that every agent action is logged, attributed, and policy-checked before execution.
Practitioner guidance
- Map every AI agent to an accountable identity owner Require a named business owner, technical owner, and data scope for each agent before production use.
- Enforce per-action authorization for agent workflows Place sensitive agent actions behind real-time policy checks that evaluate identity, context, and risk on every call.
- Remove downstream secrets from agent runtime paths Use federated access patterns so agents authenticate through mediated identity flows instead of receiving reusable credentials.
What's in the full announcement
SecureAuth's full product announcement covers the operational detail this post intentionally leaves for the source:
- The platform's action-level authorization flow for AI agents across identity, policy, and risk context
- The stated mechanics for federated credentials across OAuth 2.0, OIDC, mTLS, and the unified vault
- The audit, detection, and downscope behaviours described for blocking or escalating unsafe actions
- The commercial rationale behind the CRO appointment and the enterprise market focus
👉 Read SecureAuth's announcement on real-time authorization for AI agents →
AI agent authorization in real time: are your controls keeping up?
Explore further
10/06/2026 2:18 am
Continuous authorization is the missing identity control for agentic AI. Login-time authentication assumes the security question is answered once, before the workload starts. That assumption fails when an agent can decide and act repeatedly inside the same session, because each tool call becomes a new trust decision. The implication is that identity governance for agents must be judged on transaction-level authority, not on whether the session was initially valid.
A few things that frame the scale:
- 91% of AI agents are over-privileged, according to AI Agents: The New Attack Surface report.
- Another finding from the same research shows that 78% of AI deployments have no audit trail, which leaves security teams unable to reconstruct agent action chains after the fact.
A question worth separating out:
Q: What is the difference between continuous authorization and login-time authentication for AI agents?
A: Login-time authentication confirms the identity at the start of a session, while continuous authorization decides whether each specific action should proceed. For AI agents, that distinction matters because the session can remain valid while the agent's intent, target, or risk changes. Continuous authorization is therefore the stronger control for runtime behaviour.
👉 Read our full editorial: Continuous authorization for AI agents is the new identity baseline
