Notifications
Clear all
Topic starter
22/06/2026 10:00 am
TL;DR: AI agent security and governance are being positioned for public sector adoption, with visibility, policy enforcement and runtime controls aimed at agents that can access systems, make decisions and take actions, according to Zenity. The core issue is not model security alone, but governance for autonomous behaviour that can create operational risk before existing IAM and audit cycles can respond.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern AI agents that can take actions on behalf of users?
A: Security teams should govern AI agents as identities with observable behaviour, not just as application features.
Q: Why do AI agents complicate existing IAM and NHI controls?
A: AI agents complicate IAM and NHI controls because they can change behaviour during execution, which makes static access decisions incomplete.
Q: What breaks when AI agent access reviews are treated like standard entitlement reviews?
A: What breaks is the timing model.
Practitioner guidance
- Inventory every deployed AI agent Map agents across SaaS, cloud and endpoint environments, then tie each one to the identity, token or service path it uses.
- Separate automation from autonomy Classify agents by whether they follow fixed workflows or make runtime decisions without human approval.
- Enforce behavioural guardrails at runtime Block risky tool invocations, unexpected data access and policy violations while the agent is operating.
What's in the full announcement
Zenity's full post covers the operational detail this post intentionally leaves for the source:
- How the platform discovers AI agents across SaaS, cloud and endpoint environments
- How policy enforcement is applied when agent behaviour creates risk or violates policy
- Which public sector contract vehicles are used to make the capability available
- How the vendor frames alignment with NIST and OWASP Agentic Security guidance
👉 Read Zenity's analysis of AI agent security and governance for public sector agencies →
AI agent governance in government agencies: what changes now?
Explore further
22/06/2026 10:43 am
Identity governance now has to classify autonomous behaviour, not just credential type. The article points to a governance shift that many programmes have not yet made: an AI agent is not simply another workload account. Once an identity can choose actions at runtime, the control question changes from "who gets access?" to "what can this actor decide to do with that access?" That is where NHI governance, policy enforcement and agent oversight begin to converge. Practitioners should treat autonomy as a separate governance dimension, not a branding label.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and a further 47% having only partial visibility, according to The State of Non-Human Identity Security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when an AI agent violates policy in a public sector environment?
A: Accountability should rest with the team that owns the agent’s identity lifecycle, policy scope and runtime controls, not with the agent itself. In practice, that usually means shared ownership across identity, security and the business function deploying the agent. If ownership is unclear, policy enforcement will be too slow to matter.
👉 Read our full editorial: AI agent governance reaches the public sector through Carahsoft
