Notifications
Clear all
Topic starter
22/06/2026 10:07 am
TL;DR: Most organisations still cannot answer who their AI agents are, who owns them, what they can access, or whether that access is appropriate, highlighting a governance gap as agents take on more autonomous work, according to Omada Identity. The real issue is that access models built for people do not hold when digital actors can connect, act, and decide at machine speed.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents that access cloud systems and data?
A: Start by treating each agent as a governed identity with an owner, a business purpose, and a bounded permission set.
Q: What breaks when AI agent access is managed like a normal service account?
A: The control model breaks when teams assume the agent will behave predictably, stay within a fixed access pattern, and remain easy to review later.
Q: How do teams know whether AI agent permissions are too broad?
A: Measure whether the permissions assigned to the agent match what it actually uses in production.
Practitioner guidance
- Inventory every AI agent identity across cloud platforms Create a single register that records owner, purpose, connected systems, and current permissions for each agent.
- Re-baseline privileges against actual agent usage Compare the permissions assigned to each agent with the systems it actually touches in production.
- Extend recertification to software actors Treat agent access reviews as a lifecycle control, not a technical checkbox.
What's in the full announcement
Omada Identity's full article covers the operational detail this post intentionally leaves for the source:
- How Omada positions agent governance across existing IGA and IAM investments in practice
- The specific governance capabilities the vendor says support ownership assignment, visibility, and access-risk reduction
- The framework alignment details named in the announcement, including how Omada links the topic to EU AI Act and NIST AI RMF
- The vendor's explanation of how audit readiness and evidence consistency are expected to work in deployed environments
👉 Read Omada Identity's announcement on Omada Agent Governance →
AI agent governance: what it means for IAM teams now?
Explore further
22/06/2026 10:52 am
Agent governance is becoming the new control plane for non-human identity. Omada’s framing reflects a broader shift: enterprises are no longer just inventorying machine identities, they are being forced to govern digital actors that can act with more discretion than traditional workloads. That pushes identity teams beyond secrets and access lists into ownership, lifecycle, and decision accountability. The practitioner implication is that agent governance will sit alongside, not inside, conventional IAM.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should be accountable for AI agent identity risk?
A: Accountability should sit with the business or product owner that introduced the agent, with IAM or security providing control enforcement and review. If ownership is vague, the agent will drift into orphan status even if the technical controls look complete. Clear accountability is what makes lifecycle governance work.
👉 Read our full editorial: AI agent governance exposes the identity control gap in enterprise IAM
