Notifications
Clear all
Topic starter
22/06/2026 10:19 am
TL;DR: AI agents are already over-privileged and often unaudited, with SecureAuth citing 91% over-privilege and 78% lacking audit trails as it frames real-time authorization as the missing control layer. The core issue is that access review models assume privilege is stable long enough to inspect, but autonomous behaviour changes after login.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
Questions worth separating out
Q: How should security teams govern AI agents that can act on their own?
A: Security teams should govern AI agents with runtime authorization, not login-only controls.
Q: Why do AI agents create more identity risk than ordinary automation?
A: AI agents can choose actions, tools, and timing at runtime, which means their behaviour is not fully predictable at provisioning time.
Q: What breaks when AI agents keep standing privileges?
A: Standing privileges give agents a persistent path to downstream systems even after the original task context has changed.
Practitioner guidance
- Separate authentication from authorization for agents Require a runtime policy decision for every high-risk agent action, including API calls, data writes, refunds, and external transactions.
- Eliminate standing agent credentials Issue short-lived, task-scoped access and downscope permissions as soon as the action is complete.
- Bind each agent to an accountable owner and purpose Record the human sponsor, business purpose, and permitted action set before deployment, then keep that record linked to the agent's runtime decisions and logs.
What's in the full announcement
SecureAuth's full product announcement covers the operational detail this post intentionally leaves for the source:
- The runtime authorization flow for agent actions across identity, policy, and risk inputs.
- The federation and vault handling model for OAuth 2.0, OIDC, mTLS, and downstream secrets.
- The agent detection and response behaviour for drift, anomaly, downscope, revoke, and deny actions.
- The tamperproof audit and compliance export workflow for SIEM and regulator use.
👉 Read SecureAuth's announcement on real-time AI agent identity governance →
AI agent identity governance is shifting to runtime control?
Explore further
22/06/2026 11:11 am
Continuous authorization is now the real identity control plane for AI agents. Authentication tells you who entered, but it does not govern what an agent does after entry. When an identity can call APIs, choose tools, and execute transactions without supervision, the control point moves to each action rather than the login event. Practitioners should treat runtime authorization as the governing layer for agent identity.
A few things that frame the scale:
- 91% of AI agents are over-privileged, according to Ultimate Guide to NHIs.
- A separate finding from the same research shows that only 5.7% of organisations have full visibility into their service accounts.
A question worth separating out:
Q: Who is accountable when an AI agent takes the wrong action?
A: Accountability should rest with the organisation that granted the agent its authority and defined its operating purpose. Teams need an owner, an approved action scope, and immutable logs so they can explain what happened, why it happened, and whether the action stayed within policy.
👉 Read our full editorial: AI agent identity governance moves from login to runtime control
