TL;DR: Government agencies are deploying AI agents into sensitive workflows faster than they can track where those agents live, what they can touch, or how they behave, creating a governance gap across SaaS, cloud, and endpoints according to Zenity. That gap matters because model-centric controls do not govern autonomous actions, access, or policy enforcement once agents are operational.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should government agencies govern AI agents that can act inside enterprise systems?
A: Govern AI agents as active identities, not as passive AI features.
Q: Why do AI agents complicate existing IAM and NHI controls?
A: AI agents complicate IAM and NHI controls because they combine identity, access, and behaviour in one runtime actor.
Q: What do security teams get wrong about AI agent governance?
A: Teams often mistake policy approval for operational control.
Practitioner guidance
- Inventory AI agents as governed identities Create a central register of deployed agents across SaaS, cloud environments, and endpoints, then map each one to a business owner, data access scope, and approval record.
- Map agent entitlements to real access paths Trace which systems, datasets, and tools each agent can reach, including delegated permissions inherited through connected applications and service identities.
- Add runtime controls for unsafe behaviour Set policy thresholds that trigger containment when an agent attempts unexpected data access, unapproved tool use, or out-of-policy workflow execution.
What's in the full announcement
Zenity's full article covers the operational detail this post intentionally leaves for the source:
- The public sector distribution model through Carahsoft and how it changes procurement access for agencies
- The specific AI agent security and governance capabilities Zenity says its platform provides across SaaS, cloud environments, and endpoints
- The implementation context around NIST AI Risk Management Framework and OWASP Agentic Security Initiative alignment
- The partnership framing for agencies that need to move from policy intent to operational control
👉 Read Zenity's announcement on public sector AI agent security →
AI agent security in public sector environments: what teams miss?
Explore further
AI agent security in government is an identity governance problem before it is an AI problem. The article is right to focus on visibility, access, and control because those are identity questions, not model questions. Once an agent can act inside SaaS, cloud, or endpoint environments, the practical issue becomes whether the organisation can govern that execution path with the same discipline it applies to other non-human identities. Practitioners should treat agent governance as part of the broader identity security stack.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
A question worth separating out:
Q: Who is accountable when an AI agent violates policy in a government environment?
A: Accountability should sit with the business owner and the control owner, not with the agent itself. Government teams need named ownership for deployment approval, access scope, monitoring, and offboarding. That structure matters because runtime behaviour can create mission impact even when no human is directly driving each action.
👉 Read our full editorial: AI agent security governance gaps in government agencies