AI agent trust registries: what IAM teams need to evaluate

TL;DR: AI agent governance is moving from theory to operational control, with only 14.4% of agents going live with full security approval and 88% of enterprises already reporting agent-related incidents, according to SecureAuth citing Gravitee's State of AI Agent Security 2026 Report. The real issue is not visibility alone but whether identity, behavior, and delegated access can be assessed before agents enter production.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

• Only 14.4% of AI agents go live with full security approval.
• 88% of enterprises have already experienced AI agent-related security incidents.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope.

Questions worth separating out

Q: How should security teams evaluate AI agent trust before production use?

A: Security teams should evaluate AI agent trust by combining identity posture, intended access, delegation paths, and governance metadata in one approval decision.

Q: Why do AI agents create more governance risk than standard automation?

A: AI agents create more governance risk because they can make runtime decisions, choose tools, and vary execution paths based on context rather than fixed scripts.

Q: How do organisations reduce prompt injection risk in agentic systems?

A: Organisations reduce prompt injection risk by separating untrusted content from trusted instructions and preventing agents from acting until content provenance has been checked.

Practitioner guidance

• Define an agent approval gate Require a documented approval gate for every AI agent before production use, with identity posture, delegated scopes, and intended system access recorded in one review package.
• Separate content retrieval from execution Block agents from acting on retrieved content until untrusted inputs have been classified and isolated from policy-bearing instructions.
• Map delegated action chains Trace each API call and downstream hop an agent can make, then identify where policy checks must occur before the next step.

What's in the full announcement

SecureAuth's full research covers the operational detail this post intentionally leaves for the source:

• The public registry fields used to score identity posture and governance metadata for each agent.
• The product's method for discovering shadow agents across macOS, Windows, cloud, and SaaS without code changes.
• The per-action enforcement model across API calls and delegation chains that this post only abstracts.
• The compliance mappings SecureAuth cites for EU AI Act, SEC guidance, and financial standards.

👉 Read SecureAuth's analysis of the Agent Trust Registry and AI agent governance →

AI agent trust registries: what IAM teams need to evaluate?

Explore further

View Full Forum →  |  NHI Foundation Course →