Notifications
Clear all
Topic starter
14/05/2026 2:33 pm
TL;DR: SailPoint says non-human identities are moving into an “agentic era,” with AI agents requiring discovery, governance, and machine-speed response across business workflows. The practical shift is that identity programmes now have to treat autonomous software as a governed workforce, not a side risk.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Industry analysts project that non-human identities will soon outnumber human employees by a staggering 100 to 1.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams govern AI agents as non-human identities?
A: Security teams should govern AI agents the same way they govern other high-risk non-human identities, with inventory, ownership, least privilege, and revocation.
Q: When does ephemeral access still leave too much risk for AI agents?
A: Ephemeral access still leaves too much risk when the task is not tightly bounded, ownership is unclear, or the agent can chain into other systems.
Q: What is the difference between managing service accounts and managing AI agents?
A: Service accounts usually perform predictable machine tasks, while AI agents can interpret context and choose actions dynamically.
Practitioner guidance
- Inventory every AI agent and sponsor each one Create an authoritative register that links each agent to an owner, business purpose, data access scope, and upstream dependency.
- Apply least privilege at task level Grant permissions for the narrowest task window possible and remove broad standing access where agents only need temporary execution rights.
- Add runtime policy checks for agent actions Validate each high-risk action against policy before execution, especially when agents can touch financial, customer, or production systems.
Teams should measure how far an agent can move, what it can change, and how quickly that scope can be reduced when policy shifts?
👉 Read SailPoint's blog on the Agentic Fabric and AI identity governance →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 2:35 pm
A few things worth adding from our research at NHI Mgmt Group.
Agentic AI governance is now an NHI problem before it is an AI problem. Once software can act independently, access decisions, ownership, and audit trails matter more than model novelty. The control failures will look familiar to IAM teams: excessive privilege, unclear sponsorship, and weak revocation discipline. Practitioners should therefore anchor agent oversight in NHI governance rather than treat it as a separate AI-only programme.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why discovery gaps keep reappearing in NHI programmes.
A question worth separating out:
Q: Why do AI agents complicate zero trust architecture?
A: AI agents complicate Zero Trust Architecture because the trust decision cannot end at login or token issuance. Their authority can expand or shift during execution, so continuous verification must include task context, data sensitivity, and action risk. Zero trust only works here if every action remains conditional, not just every session.
👉 Read our full editorial: Agentic identity governance now needs visibility, control, and audit
