Notifications
Clear all
Topic starter
09/06/2026 11:58 pm
TL;DR: Agentic AI is moving into production faster than governance policies can keep up, with 91% of tech decision makers saying their organisations are already developing or rolling out it and only 48% having the policies to oversee it, according to Collibra/Harris Poll. The core issue is accountability, because agents can act across workflows before ownership, traceability, and intervention are defined.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern agentic AI systems in production?
A: Security teams should govern agentic AI systems as live identities with owners, policy boundaries, and reviewable actions.
Q: Why do agentic AI systems create accountability gaps?
A: Agentic AI creates accountability gaps because actions are taken by software that can initiate decisions across workflows without a human present at every step.
Q: What breaks when organisations deploy AI agents without lifecycle governance?
A: What breaks is not only access control but the assumption that deployment is a one-time event.
Practitioner guidance
- Define agent ownership before production rollout Assign a named business owner, technical owner, and governance owner to every deployed agent so accountability exists before the agent can act in live workflows.
- Gate agent promotion through execution-level testing Require tests that validate tool use, data access, and policy adherence inside CI/CD pipelines before an agent is allowed into production.
- Treat context exposure as a privileged entitlement Classify metadata, business context, and retrieval sources as governed access paths, then restrict them to the minimum scope each agent needs.
What's in the full announcement
Collibra's full article covers the operational detail this post intentionally leaves for the source:
- How the AI Command Center maps ownership, behaviour, and risk across the full AI lifecycle
- The private preview feedback from more than 40 enterprises and what it suggests about implementation demand
- Details of the Giskard partnership and how execution-level validation fits into delivery pipelines
- The AI UC-1 assessment templates and how they support repeatable compliance evaluation
👉 Read Collibra's article on the AI Command Center and agentic AI governance →
AI command centers for agentic AI governance: are controls keeping up?
Explore further
10/06/2026 2:32 am
Agentic AI governance is now an identity problem, not just a model-risk problem. Once software can initiate actions across workflows, the control question shifts to who owns the agent, what it can touch, and how its decisions are traced. Data governance alone cannot close that gap because the behaviour is execution-time, not only design-time. Practitioners need to treat agent identity and lifecycle as part of the governance model.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Another finding in the same research shows that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can organisations tell whether agent governance is working?
A: Organisations can tell agent governance is working when they can answer three questions quickly: who owns the agent, what it accessed, and which actions were approved or blocked. If those answers require manual reconstruction after an incident, the governance model is not operational enough for production AI.
👉 Read our full editorial: AI command centers expose the governance gap in agentic AI
