Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent governance in Josys: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Most IT teams cannot see which AI agents are running, who owns them, or what they can access, according to Josys, which adds centralized discovery, policy enforcement, credential monitoring, and role-scoped admin controls to close those gaps. The deeper issue is that identity governance now has to cover software actors that move faster than manual review cycles.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that access business data?

A: They should govern AI agents like any other non-human identity: assign ownership, define the approved data scope, enforce policy before access is granted, and keep a verifiable record of each decision.

Q: Why do AI agents create new identity governance risks?

A: AI agents create risk because they can be deployed faster than review cycles can validate ownership, access scope, and business justification.

Q: What breaks when delegated admin access is not scope-limited?

A: Delegated administration turns into hidden privilege creep when business admins can manage resources outside their intended boundary.

Practitioner guidance

  • Inventory every AI agent before granting production access Create a governed registry that captures agent owner, intended purpose, data scope, and approval status.
  • Bind delegated admin rights to resource attributes Use backend ABAC conditions to restrict admin actions to assigned applications, departments, or business units.
  • Require policy-backed remediation for every agent violation Route policy breaches into a documented workflow that records the detected condition, the action taken, and the accountable owner.

What's in the full announcement

Josys' full newsletter covers the operational detail this post intentionally leaves for the source:

  • The specific workflow behind AI agent discovery, classification, and owner assignment across the environment
  • Policy templates and remediation triggers for governance violations, including how automated actions are documented
  • The access review and audit logging details for devices, logins, and OpenAPI events that support investigations
  • The delegation model for app admins and department owners, including how role and attribute checks are enforced

👉 Read Josys' June 2026 newsletter on AI agent governance and access controls →

AI agent governance in Josys: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

AI agent governance should be treated as identity governance, not feature management. The moment an organisation asks who owns an agent, what it can access, and whether it is approved, it is already doing IAM. The field mistake is to treat agent oversight as a product-specific console problem instead of an access governance problem that spans discovery, ownership, entitlement scope, and review evidence. Practitioners should stop drawing a line between AI operations and identity operations.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when an AI agent exceeds its approved access?

A: Accountability should sit with the named owner of the agent and the team that approved its access scope. If no owner can be identified, that itself is the governance failure. Organisations should require evidence showing who approved the agent, what it was allowed to access, and which policy condition triggered any remediation.

👉 Read our full editorial: Josys reframes AI agent governance as an access control problem



   
ReplyQuote
Share: