AI security is becoming an identity governance problem because agents are now active data users, not passive data consumers. Once an autonomous system can retrieve, transform, and pass along sensitive information, the decisive control is identity scope. That shifts the centre of gravity from storage-centric protection to permission-centric governance. Practitioners should plan for access decisions to follow the agent, not the repository.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly agent and integration sprawl can outrun governance.
A question worth separating out:
Q: How can organisations tell whether NHI governance for agents is working?
A: Organisations should look for lower credential lifetime, fewer over-privileged agent accounts, and better traceability from agent action to data access. If teams cannot answer who or what accessed sensitive data through an autonomous workflow, governance is not yet working.
👉 Read our full editorial: Cyera board move highlights the governance shift in AI security