Notifications
Clear all
Topic starter
24/06/2026 7:05 pm
TL;DR: As enterprises move from model oversight to autonomous workflows, Cranium’s acquisition of Aiceberg combines agentic AI risk mapping with AI security and governance capabilities, according to Cranium. The deal signals that AI governance is shifting from model-centric review to control over agent behaviour, delegation, and lifecycle accountability.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: What should security teams evaluate after a major AI governance acquisition?
A: Security teams should evaluate whether the combined platform covers runtime access, delegation, auditability, and lifecycle ownership, not just model monitoring.
Q: Why do agentic AI systems force IAM and AI security to converge?
A: Agentic systems can initiate actions, call tools, and continue workflows without a human approving each step.
Q: How do organisations decide whether AI governance is actually complete?
A: AI governance is only complete when the organisation can trace each system’s authority from approved lifecycle state to actual runtime action.
Practitioner guidance
- Map agent decision rights separately from model permissions Document which actions an agent may initiate, which tools it may call, and which steps still require human approval.
- Tie AI onboarding to lifecycle ownership Assign an accountable owner for each deployed agent, then define the approval path for entitlement changes, policy updates, and retirement.
- Review tool and data-path exposure together Inventory the external systems, APIs, and data sources each agent can reach, then compare that list to the agent’s intended function.
What's in the full announcement
Cranium's full press release covers the acquisition details this post intentionally leaves for the source:
- The exact positioning of Aiceberg's agentic AI risk-mapping capability inside the combined platform.
- Leadership transition details, including the CTO role and team integration described in the announcement.
- The company's own explanation of how it frames end-to-end AI security and governance.
- The vendor's stated view of regulatory readiness and compliance mapping across AI systems.
👉 Read Cranium's acquisition announcement covering Aiceberg and agentic AI governance →
Cranium acquires Aiceberg: what changes for AI governance teams?
Explore further
25/06/2026 4:12 am
AI governance is being pulled into the identity domain because autonomous systems behave like governed actors, not passive software. The article reflects a category shift: once an AI system can initiate actions, choose tools, and carry forward execution, the relevant control plane is no longer just MLOps or model review. It becomes identity governance, privilege scope, and accountable delegation. Practitioners should expect AI governance to converge with NHI and access governance rather than remain a separate discipline.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: What is the difference between model security and agent governance?
A: Model security protects the model itself, including training, prompts, and exposure. Agent governance controls what the system is allowed to do after it starts acting, including tool use, data access, and decision boundaries. In agentic environments, the second problem is usually the one that creates operational risk.
👉 Read our full editorial: Cranium’s Aiceberg acquisition reshapes AI and agent governance
