TL;DR: The growing strain on static IAM controls in dynamic environments is reflected in Linx Security’s AI-Agent, which extends identity governance from visibility and automation into runtime remediation, JIT access, reviews, and custom risk handling, according to Linx Security.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern autonomous identity decisions in practice?
A: They should separate contextual recommendation from enforcement, then define which identity actions can execute without human approval.
Q: Why do JIT access controls become more complex in dynamic identity environments?
A: Because JIT is no longer just a timer on privilege.
Q: What breaks when access reviews are still run on a fixed schedule?
A: Fixed schedules miss identities and entitlements that change faster than the review cycle.
Practitioner guidance
- Define execution boundaries for autonomous remediation Separate recommendation, approval, and enforcement so the system cannot cross a governance boundary without explicit authorisation.
- Map access decisions to live context signals Require request-time inputs such as identity role, system sensitivity, time of use, and business justification before JIT access or certification decisions can complete.
- Review where access review cadences no longer fit Identify entitlements that change too quickly for quarterly or monthly recertification to be effective, then redesign those controls around continuous state monitoring.
What's in the full announcement
Linx Security's full company news post covers the operational detail this post intentionally leaves for the source:
- A feature-by-feature walkthrough of AI-assistant, MCP Server, and AI-Agent capabilities in the Linx identity workflow
- Examples of how contextual JIT access, access profiles, and custom risk issues are intended to operate across identity processes
- The vendor's own description of how automated remediation and review recommendations are expected to behave in practice
- Planned deep-dives on access profiles, automated review, provisioning, and deprovisioning that the announcement only previews
👉 Read Linx Security's announcement on autonomous identity governance and the AI-Agent →
Autonomous identity governance: are static IAM controls keeping up?
Explore further
Autonomous identity governance exposes the limits of human-paced control loops. Access reviews, approvals, and certifications were designed for privilege that persists long enough to be observed and acted on. That assumption weakens when identity systems make and execute decisions continuously in the same runtime window. The implication is that governance programmes must stop treating periodic review as the primary control boundary for high-change identity states.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when an autonomous identity system makes a bad access decision?
A: Accountability remains with the organisation that defined the policy, approved the execution model, and owns the exception process. Autonomy does not remove responsibility. It changes the control evidence auditors will expect, especially around decision logs, policy provenance, and human override paths.
👉 Read our full editorial: Autonomous identity governance is pushing IAM past static controls