Notifications
Clear all
Topic starter
22/06/2026 10:07 am
TL;DR: AI-driven identity operations are shifting from quarterly human certification to continuous agent-led decisions, according to Lumos, as the article argues that attackers increasingly target legitimate identities rather than traditional perimeter controls. The governance problem is no longer review volume alone, but whether IAM can keep pace with machine-speed access change.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agent access alongside service accounts?
A: They should treat AI agents as part of the same non-human identity estate as service accounts and API keys, then assign owners, scopes, and review triggers for each.
Q: Why do quarterly access reviews fail for AI agents and NHIs?
A: Quarterly reviews fail because they assume access stays stable long enough for a human to inspect it.
Q: What should organisations measure instead of review completion rates?
A: They should measure unowned access, standing privilege, and the time between entitlement change and governance action.
Practitioner guidance
- Map all machine identities to real owners Build a live inventory that ties every service account, API key, and AI agent credential to an accountable owner, business purpose, and approval path.
- Replace quarterly certification with event-driven review triggers Trigger access review when entitlements change, when ownership changes, or when an AI agent's scope expands.
- Set policy boundaries before delegating routine decisions Define which identity decisions agents may execute automatically, which require escalation, and which must remain human-only.
What's in the full announcement
Lumos's full blog post covers the operational detail this post intentionally leaves for the source:
- How the Identity Agent Force is structured across multiple specialised agents
- The data layer and context layer design behind automated access decisions
- Examples of the Access Review Agent and Privilege Threat Hunter in operation
- Claims about customer outcomes, including review speed and standing-access reduction
👉 Read Lumos's analysis of agentic identity governance and machine-speed access →
AI agent identity governance: are manual access reviews enough?
Explore further
22/06/2026 10:53 am
AI agent governance exposes the limits of review-based identity control. Quarterly certification was designed for identities whose access state changes slowly enough to be observed, challenged, and approved by a person. That assumption fails when agents operate at machine speed and mutate access state continuously. The implication is that identity governance can no longer rely on periodic human inspection as the primary control.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when an AI agent makes an access decision that creates risk?
A: Accountability stays with the organisation that defined the policy, delegated the authority, and failed to set the boundaries. The agent executes the decision, but leadership owns the governance model that allowed it. That means policy authorship, escalation rules, and revocation paths must be explicit before automation is expanded.
👉 Read our full editorial: AI agent identity governance is moving from manual review to fleets
