AI agent discovery across clouds: what IAM teams are missing

TL;DR: AI agent discovery remains the most common gap security teams report as organisations build low-code and no-code agents across AWS Bedrock, Azure AI Foundry, Copilot Studio, Vertex AI, and other environments, according to Lasso Security. Without a continuously updated inventory, security teams cannot govern model choice, tool access, or runtime behaviour across separate platforms.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should security teams inventory AI agents across multiple cloud platforms?

A: Security teams should treat every cloud platform, low-code builder, repository, and CI/CD pipeline as a discovery source.

Q: Why does AI-BOM visibility matter for agent governance?

A: AI-BOM visibility matters because an agent’s behaviour is defined by its components, not by a single account record.

Q: What breaks when AI agent discovery is incomplete?

A: When discovery is incomplete, security teams cannot reliably assign ownership, scope permissions, or detect cross-environment drift.

Practitioner guidance

• Build a cross-platform agent inventory first Map every low-code, no-code, repository-built, and cloud-native agent across managed AI platforms and cloud accounts.
• Require an AI-BOM for every discovered agent Track the foundation model version, system prompt, connected tools, MCP servers, retrieval sources, guardrails, and dependency set.
• Review delegated permissions in multi-agent graphs Trace sub-agents, APIs, and external services to identify where permissions propagate beyond the parent agent.

What's in the full announcement

Lasso Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Platform-by-platform discovery coverage across AWS Bedrock, Azure AI Foundry, Copilot Studio, Vertex AI, Salesforce Agentforce, and other managed builders.
• The AI-BOM fields and dependency graph outputs used to represent each discovered agent in operational detail.
• How automated red teaming is tied to the discovered posture and how findings feed into runtime policy updates.
• Examples of inline guardrail updates and re-testing after posture findings are generated.

👉 Read Lasso Security's analysis of cross-cloud AI agent discovery and AI-BOM governance →

AI agent discovery across clouds: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →