Notifications
Clear all
Topic starter
22/06/2026 10:10 am
TL;DR: C1 says its new Autonomous Worker can revoke stale grants, run access reviews, gather audit evidence, and execute identity tasks through the same policy engine that governs human users, according to ConductorOne. The deeper issue is not task automation but whether identity programmes can govern agents that act from start to finish inside existing permissions.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: What breaks when AI agents are allowed to perform identity work end to end?
A: The main failure is assuming the workflow still behaves like human-operated IAM.
Q: Why do autonomous workers change identity governance more than ordinary automation?
A: Ordinary automation follows predefined steps.
Q: How do security teams know whether agent governance is actually working?
A: Look for action-level evidence, not just policy intent.
Practitioner guidance
- Define a separate governance class for autonomous workers Treat governed AI agents as a distinct identity subject in policy, review, and audit workflows rather than folding them into generic service accounts.
- Audit which controls assume human-paced execution Review access reviews, recertification, and approval gates for assumptions that the actor will wait for human review before acting.
- Require action-level attribution for every agent task Log the operator identity, agent identity, input context, executed action, and permission boundary for every identity operation.
What's in the full announcement
ConductorOne's full post covers the operational detail this analysis intentionally leaves for the source:
- How C1 Autonomous Worker is embedded in the Slack app flow and how that affects day-to-day operator handling.
- The exact identity and policy engine mechanics behind governed execution and attributed actions.
- Examples of identity tasks the agent can complete, including stale grant revocation, access review creation, and audit evidence collection.
- The vendor's positioning on a future where autonomous workers become a standard part of enterprise identity operations.
👉 Read ConductorOne's post on C1 Autonomous Worker and governed AI identity work →
Autonomous workers in identity governance: what changes for teams?
Explore further
22/06/2026 10:57 am
Governed AI workers are not just another NHI class, they are a control-plane stress test. The article describes an agent that reasons, acts, and finishes identity work inside existing permissions, which means the governance problem is no longer only account lifecycle. The harder question is whether the control plane can still separate intention, authorization, and execution when the executor is software that can complete the task without human handoff. Practitioners should treat this as a test of identity control-plane design, not a feature comparison.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% say governance is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when an autonomous worker changes access or gathers evidence incorrectly?
A: Accountability sits with the organisation that granted the permissions and defined the control plane, not with the agent as a separate operator. The practical test is whether policy, logging, and approval boundaries were designed to constrain software that can complete work without handoff.
👉 Read our full editorial: C1 Autonomous Worker reframes governed AI agents for identity work
