Notifications
Clear all
Topic starter
14/05/2026 2:33 pm
TL;DR: AI agents and other non-human identities are multiplying across enterprise environments, and SailPoint says its new Agentic Fabric is designed to extend identity security beyond human users by combining discovery, governance, authorization, and protection across cloud, applications, and endpoints. The governance gap is now the central risk: visibility without ownership is not control, and machine-speed access demands lifecycle discipline, not just policy.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
Questions worth separating out
Q: How should organisations govern AI agent access without losing operational speed?
A: Use task-scoped access, explicit human ownership, and runtime monitoring together.
Q: What is the difference between least privilege and zero standing privilege for AI agents?
A: Least privilege limits what an agent can do, while zero standing privilege removes persistent access and grants it only when needed.
Q: Why do AI agents create more IAM risk than traditional service accounts?
A: AI agents can choose actions, call tools, and operate across multiple systems with less predictable behaviour than conventional service accounts.
Practitioner guidance
- Inventory every AI agent and machine identity Build a complete register of agents, service accounts, API keys, and related identities, then tie each one to an owner, purpose, and business system.
- Enforce task-scoped access for autonomous identities Replace broad standing permissions with short-lived, task-specific entitlements wherever the workflow allows.
- Connect runtime alerts to automatic revocation When an agent exceeds its intended scope, trigger containment that can disable credentials, suspend sessions, or require step-up authorisation.
Teams should expect AI identity reviews to join standard access governance, not sit outside it?
👉 Read SailPoint's analysis of Agentic Fabric and enterprise AI identity governance →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 2:35 pm
A few things worth adding from our research at NHI Mgmt Group.
AI agent identity is becoming the next identity perimeter. The control problem is no longer limited to employees and contractors because autonomous software now carries execution authority, tools, and data reach. That changes the unit of governance from account-centric to relationship-centric, where ownership and context matter as much as authentication. Practitioners should treat AI agents as first-class identities and govern them with the same seriousness as privileged infrastructure accounts.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Should teams prioritise discovery or policy first for NHI governance?
A: They should start both in parallel, but discovery usually comes first when shadow AI is already present. Policy without visibility cannot govern what the team has not found. Discovery without policy only inventories the problem, so the programme needs both to identify identities and then constrain them.
👉 Read our full editorial: Agentic Fabric reframes how enterprises govern AI identities
