Notifications
Clear all
Topic starter
06/06/2026 11:32 am
TL;DR: The key issue is not certification theater but whether existing identity controls can govern agentic AI at runtime when agents access data, invoke tools and make decisions across environments, according to Zenity research. Zenity says it has reached FedRAMP “In Process” status as it moves toward federal authorization for AI agent security, positioning visibility, governance, runtime detection and compliance reporting for regulated government environments.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents in regulated environments?
A: They should govern AI agents as runtime identities, not as static applications.
Q: Why do AI agents complicate existing IAM and audit controls?
A: AI agents complicate IAM because they can change action paths during execution, which makes pre-approved access an incomplete picture.
Q: How can organisations tell if AI agent governance is actually working?
A: Look for continuous inventory, policy-aligned runtime enforcement and a clear record of blocked or remediated actions.
Practitioner guidance
- Map agent actions to runtime controls Document which AI agent actions are checked at decision time, which are blocked inline and which are only reviewed after the fact.
- Extend authorization evidence to agent behaviour Update control narratives so your FedRAMP or internal authorization package covers how agents are governed during execution, not only how the platform is secured.
- Build continuous agent discovery into governance Reconcile discovered agents against approved scopes on a recurring basis so shadow or drifted agents do not remain outside the control set.
What's in the full announcement
Zenity's full article covers the operational detail this post intentionally leaves for the source:
- The FedRAMP pathway and what “In Process” means for authorization sequencing
- How Knox Systems' precertified platform is being used to streamline the ATO journey
- The product-facing details behind continuous discovery, posture management and runtime prevention
- How federal procurement pathways and partner routes shape early engagement
👉 Read Zenity's update on FedRAMP progress for AI agent security →
AI agent governance in federal environments: what changes now?
Explore further
06/06/2026 12:24 pm
AI agent governance is now an authorization problem, not a point-solution problem. Once an agent can access data, invoke tools and make decisions across environments, the security question moves beyond static entitlement review. That changes the control model for regulated identity programmes, because governance must prove ongoing behavioural bounds rather than one-time approval. Practitioners should treat agent oversight as part of the identity control plane, not as an adjacent security feature.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What should teams do when a platform certification does not cover agent behaviour?
A: They should treat platform certification as necessary but not sufficient. Separate the infrastructure approval from the agent approval, then require evidence for tool access, data exposure and runtime guardrails before production use. Otherwise the certification boundary and the real risk boundary will not match.
👉 Read our full editorial: AI agent governance enters FedRAMP review for federal deployments
