Notifications
Clear all
Topic starter
22/06/2026 10:22 am
TL;DR: AI agent discovery is becoming a central security control as employees create agents across platforms such as Copilot Studio, Salesforce Agentforce, and n8n, while 80% of organisations report agentic AI risks tied to improper data exposure and unauthorised system access, according to Nudge Security. The governance problem is no longer visibility alone, but accountability, permissions, and data access control at the moment agents are created and connected.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 80% of organizations say they have encountered agentic AI risks related to improper data exposure and access to systems without authorization.
Questions worth separating out
Q: How should security teams govern AI agents created by employees?
A: Security teams should treat employee-created AI agents as governed identities, not informal productivity tools.
Q: Why do shadow AI agents create NHI-style risk?
A: Shadow AI agents create NHI-style risk because they can hold credentials, call tools, and reach data without the lifecycle discipline usually applied to production identities.
Q: What breaks when AI agent permissions are not inventoried?
A: When permissions are not inventoried, security teams cannot tell whether an agent has appropriate access, excess access, or hidden data paths.
Practitioner guidance
- Inventory agents at the point of creation Continuously discover agents across sanctioned platforms and record who created them, what they connect to, and what they can access before they enter business use.
- Map every agent entitlement and connector Capture permissions, data sources, tool integrations, and any MCP connections so security teams can see the full reach of each agent in one place.
- Require named ownership for each agent Assign a human owner who can explain purpose, scope, and business justification, and make that owner accountable for changes, exceptions, and offboarding.
What's in the full announcement
Nudge Security's full post covers the operational detail this post intentionally leaves for the source:
- Platform-by-platform discovery coverage for Microsoft Copilot Studio, Salesforce Agentforce, n8n, and other agentic environments
- Risk surfacing for publicly accessible agents, hardcoded credentials, unauthenticated MCP connections, and orphaned agents
- Creator engagement and policy guardrail workflows that show how the control operates in practice
- The broader AI security and governance feature set that sits alongside agent discovery
👉 Read Nudge Security's analysis of AI agent discovery and shadow AI governance →
AI agent discovery and shadow AI governance: are controls keeping up?
Explore further
22/06/2026 11:16 am
AI agent discovery is now an identity governance control, not a product category. Once employees can create agents across multiple platforms, the practical question becomes whether security teams can inventory, validate, and constrain those identities before they spread. That moves agent discovery into the same governance territory as NHI lifecycle oversight and access reviews. Practitioners should treat discovery as the first gate in agent governance, not the last.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should be accountable for an employee-created AI agent?
A: Accountability should sit with the creator and the business owner, not with an anonymous platform configuration. If the person who created the agent cannot explain its purpose, data access, and expected lifetime, the organisation does not yet have a governable identity. Ownership must be explicit enough to support review, offboarding, and exception handling.
👉 Read our full editorial: AI agent discovery changes the governance model for shadow AI
