Notifications
Clear all
Topic starter
04/06/2026 6:43 pm
TL;DR: Expanded support for AWS AgentCore and Microsoft Foundry extends agent registry, discovery, enrichment, management, and enforcement across more enterprise agent environments, reflecting the shift from AI experimentation to production-scale deployment, according to PlainID. The governance problem is not agent creation but consistent authorization across data, MCP tools, and actions as agent estates spread.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents across multiple platforms?
A: Security teams should use a centralized authorization model that inventories agents, enriches them with business context, and enforces policy at runtime across platforms.
Q: Why do native cloud guardrails fall short for agentic AI governance?
A: Native guardrails usually stop at the boundary of the cloud or platform they were designed for.
Q: What breaks when AI agent discovery is incomplete?
A: When discovery is incomplete, the organisation cannot know which agents exist, what they are connected to, or what they can access.
Practitioner guidance
- Inventory every agent platform in scope Map where agents are created, where they run, and which systems they can reach.
- Enrich agents with governance context Attach business purpose, owner, data sensitivity, and tool dependencies to each agent profile so policy decisions can reflect operational reality rather than a bare technical identifier.
- Test policy continuity across platform boundaries Validate that the same authorization rule still applies when an agent moves from one cloud to another or into internal systems.
What's in the full announcement
PlainID's full post covers the operational detail this post intentionally leaves for the source:
- How PlainID maps agent registry, discovery, enrichment, management, and enforcement across agent platforms
- How support for AWS AgentCore and Microsoft Foundry changes the practical governance surface for enterprise agent deployments
- How the platform frames central policy management for data, MCP tools, and actions in heterogeneous environments
- How the vendor positions Zero Standing Privileges in agentic workflows
👉 Read PlainID's update on expanded AWS AgentCore and Microsoft Foundry support →
AWS AgentCore and Microsoft Foundry support: what changes for IAM teams?
Explore further
04/06/2026 6:54 pm
Agentic authorization cannot rely on platform-native guardrails alone. The article reinforces a structural boundary problem that identity teams already know from NHI governance: controls that work inside one platform often stop at the edge of another. As agents move from cloud-native runtime to internal enterprise systems, the real issue is not whether a guardrail exists, but whether it still applies after the first hop. Practitioners should assume boundary leakage unless policy remains independent of the platform.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Our research also shows that 97% of NHIs carry excessive privileges, which broadens the attack surface when governance does not keep pace with deployment.
A question worth separating out:
Q: How can IAM teams decide whether agentic authorization is working?
A: IAM teams should look for one decision fabric across data, tools, and actions, with consistent enforcement even when an agent crosses platform boundaries. If policies differ by platform, or if teams cannot explain why a given action was allowed at runtime, the control model is not yet working as intended.
👉 Read our full editorial: Agentic identity governance expands across AWS AgentCore and Foundry
