Notifications
Clear all
Topic starter
24/06/2026 6:56 pm
TL;DR: Palo Alto Networks is integrating Portkey’s AI Gateway into Prisma AIRS to unify control of autonomous AI agents, with the acquisition framed around secure governance and operationalisation of agentic systems. The real issue is that autonomous behaviour stretches identity and policy assumptions beyond what static IAM and point controls can reliably contain.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern autonomous AI agents in enterprise environments?
A: Security teams should govern autonomous AI agents as runtime identities, not as simple applications.
Q: Why do autonomous agents complicate least privilege and access review models?
A: Autonomous agents complicate least privilege because their intent is not fixed at provisioning time.
Q: What breaks when AI agent permissions are managed like ordinary service accounts?
A: What breaks is the assumption that access patterns are stable and human-readable in advance.
Practitioner guidance
- Map agent governance to the identity control plane Identify where AI agents are created, what tools they can call, which data they can reach, and where policy is actually enforced during runtime.
- Bound agent privileges to task scope Replace broad agent entitlements with narrow, task-scoped permissions that expire with the work unit.
- Require full action-level audit trails Log prompt context, tool selection, data access, and downstream effects in a way that supports incident reconstruction.
What's in the full announcement
Protect AI's full blog covers the operational detail this post intentionally leaves for the source:
- The acquisition context and how Prisma AIRS and Portkey are being positioned together for product integration.
- The vendor's description of the unified AI gateway control plane and its intended operational scope.
- The specific product language around securing and operationalising autonomous AI agents at scale.
- The surrounding platform context that practitioners may want before evaluating deployment fit.
👉 Read Protect AI's analysis of unified AI gateway governance for autonomous agents →
AI gateway consolidation for agent governance: what changes now?
Explore further
25/06/2026 3:58 am
AI gateway governance is becoming the control layer where agent identity and policy collide. The acquisition shows that runtime mediation is now being treated as a security primitive, not a convenience feature. That matters because autonomous agents do not fit neatly into static IAM or pure application security controls. The practitioner implication is that agent governance has to sit at the point where action is decided and executed, not only where access is initially granted.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 17% incident rates were reported for least-privileged AI access, compared with 76% for over-privileged systems in the same survey.
A question worth separating out:
Q: Who should own accountability for AI agent governance and policy enforcement?
A: Accountability should sit with the teams that can see both identity intent and operational execution, usually IAM, PAM, and cloud security functions working together. If ownership is split too loosely, no one can answer for tool access, policy exceptions, or incident reconstruction. Clear governance is as important as technical enforcement.
👉 Read our full editorial: Palo Alto Networks acquires Portkey for AI agent governance
