Notifications
Clear all
Topic starter
28/05/2026 11:36 am
TL;DR: Astrix Security says most enterprises underestimate AI agent sprawl and need both full discovery and real-time policy enforcement because platform registries miss shadow agents running through NHIs, endpoints, and homegrown services. That combination turns AI agent governance from a visibility exercise into a control problem that IAM teams can no longer defer.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern AI agents that use non-human identities?
A: They should govern them as runtime entities, not just as accounts on a list.
Q: When does AI agent discovery become more than an inventory problem?
A: It becomes more than inventory when the agent can act in production with credentials that outlive the review process.
Q: What is the difference between discovering AI agents and controlling them?
A: Discovery identifies where the agents are and what identities they use.
Practitioner guidance
- Inventory agents by identity trace, not just platform registry Correlate AI platform data with NHI usage across cloud, SaaS, DevOps, and identity providers so unregistered agents do not remain invisible.
- Map each agent to an accountable human owner Require every discovered agent to be linked to a named business owner, a technical owner, and the NHIs it uses.
- Enforce pre-execution policy checks for high-risk actions Block or flag actions before execution when an agent requests write, delete, or administrative operations against critical resources.
With 98% of organisations planning to deploy even more AI agents within the next 12 months, per AI Agents: The New Attack Surface report, teams should assume that unmanaged growth is the default unless discovery and runtime policy are joined together?
👉 Read Astrix Security's announcement on AI agent discovery and policy enforcement →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
28/05/2026 11:40 am
Discovery without enforcement creates an audit illusion. A complete inventory is useful, but it does not reduce risk unless it changes what the agent can actually do. In NHI programs, visibility often gets mistaken for control, especially when the environment includes autonomous software with its own execution path. The practical conclusion is that agent governance must be measured by prevented actions, not just by counted assets.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 48% of organisations say they cannot track and audit the data their AI agents access, leaving a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Why do AI agents complicate least-privilege access models?
A: Because agents often use shared or long-lived NHIs, move quickly, and cross platform boundaries that human-centric review processes do not cover well. Least privilege still applies, but it has to be enforced at the identity, resource, and execution layers together. Otherwise the agent keeps more reach than the task requires.
👉 Read our full editorial: AI agent discovery and policy controls are now an IAM problem
