Notifications
Clear all
Topic starter
24/06/2026 6:49 pm
TL;DR: AI agents are being deployed to reason, call tools, and touch sensitive data in production, but most security teams still cannot trace what they can access or how they reach cloud services, according to Unosecur. Visibility helps, yet the governance gap remains structural because current IAM controls were not built for autonomous execution paths.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents that can reach production systems?
A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped permissions, and continuous review of their execution paths.
Q: Why do AI agents complicate IAM and zero trust models?
A: AI agents complicate IAM and zero trust because their effective authority is often created through delegated tool chains, not a single obvious login or credential.
Q: What breaks when AI agent access is reviewed only at the account level?
A: Reviewing only the account level hides the functions, roles, and downstream services that create real privilege.
Practitioner guidance
- Build a complete AI agent inventory Record every agent by account, region, owner, and business purpose, then reconcile that list against deployed cloud functions and roles.
- Trace effective permissions through the execution path Follow the chain from agent to function to IAM role to downstream service, and document the permissions that become effective at each step.
- Classify agents by risk and guardrail status Tag each agent for sensitivity of data access, breadth of permissions, and presence or absence of guardrails so high-risk identities are prioritised in review and remediation.
What's in the full announcement
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of how the AI Agent Dashboard groups risk findings across accounts and regions.
- Field-level detail on how knowledge bases, permissions, and execution paths are surfaced for each agent.
- The exact structure of the Access Graph and how it maps agent-to-function-to-role relationships.
- Operational examples of how the dashboard can support audit triage and incident investigation.
👉 Read Unosecur's blog on the AI Agent Dashboard and agent visibility →
AI agent dashboards: what visibility do IAM teams actually need?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:45 am
Visibility is not governance, but it is the first hard boundary. A dashboard can reduce blind spots, yet it does not by itself solve ownership, authorisation scope, or lifecycle control. For AI agents, visibility is the minimum condition for treating them as first-class identities rather than opaque automation. The practitioner implication is that inventory must feed an identity governance workflow, not stand alone as a reporting layer.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do security teams prove an AI agent stayed within its intended scope?
A: Teams need evidence of which data sources were queried, which permissions were active, and what execution path was used at the time of action. Without that linkage, scope claims are hard to defend during incident response or audit. Traceability is the difference between assumed control and demonstrable control.
👉 Read our full editorial: AI agent dashboard visibility still leaves governance gaps
