Notifications
Clear all
Topic starter
02/06/2026 6:56 pm
TL;DR: Cyera appointed Stripe CFO Steffan Tomlinson to its board as it frames AI security around constant data risk, autonomous agents, and real-time access decisions, according to Cyera. The governance challenge is shifting from data location alone to data use, access, and changing risk boundaries as machine actors proliferate.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern AI agents that can access sensitive data?
A: Security teams should govern AI agents as non-human identities with narrowly scoped permissions, short credential lifetimes, and continuous policy checks.
Q: Why do autonomous agents complicate data security controls?
A: Autonomous agents complicate data security because they can combine discovery, retrieval, and action in one workflow.
Q: What do teams get wrong about AI security and access management?
A: Teams often treat AI security as a data classification problem alone.
Practitioner guidance
- Map agent identities to data access paths Inventory which autonomous systems, service accounts, and API tokens can reach sensitive datasets, then document the tools and workflows each identity can invoke.
- Reduce standing privilege for AI workloads Replace persistent credentials with task-scoped access where possible, and define automatic expiry for agent sessions that touch sensitive data.
- Tie data governance to identity telemetry Correlate data access logs with NHI activity, secret use, and workflow execution so teams can see what an agent did, not just what data it could reach.
The organisations that get ahead will unify entitlement review, secret visibility, and workflow telemetry before agent adoption scales further?
👉 Read Cyera's board announcement on AI security governance →
Explore further
02/06/2026 7:10 pm
AI security is becoming an identity governance problem because agents are now active data users, not passive data consumers. Once an autonomous system can retrieve, transform, and pass along sensitive information, the decisive control is identity scope. That shifts the centre of gravity from storage-centric protection to permission-centric governance. Practitioners should plan for access decisions to follow the agent, not the repository.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly agent and integration sprawl can outrun governance.
A question worth separating out:
Q: How can organisations tell whether NHI governance for agents is working?
A: Organisations should look for lower credential lifetime, fewer over-privileged agent accounts, and better traceability from agent action to data access. If teams cannot answer who or what accessed sensitive data through an autonomous workflow, governance is not yet working.
👉 Read our full editorial: Cyera board move highlights the governance shift in AI security
