Notifications
Clear all
Topic starter
14/05/2026 5:37 pm
TL;DR: Saviynt says its IGA integration with Claude and Kiro is designed to govern AI access from the moment platforms are introduced, because uncontrolled AI access, identity sprawl, and Shadow AI create security, audit, and cost exposure across business workflows. Day-one governance is now a baseline control, not a later-stage cleanup.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern AI platform access from day one?
A: Security teams should treat AI platform onboarding as an identity governance event, not a simple app registration.
Q: Why is Shadow AI a governance problem as much as a data problem?
A: Shadow AI is first a governance failure because the organisation cannot see who approved the tool, what it can do, or when its access should end.
Q: What is the difference between IAM and IGA for AI tools?
A: IAM decides whether a user or system can authenticate and reach a resource.
Practitioner guidance
- Implement day-one governance for AI platforms Require every new AI platform to enter through the identity governance process before users connect data or workflows.
- Separate human access from agent permissions Define distinct policies for users, service accounts, and autonomous agents.
- Automate recurring access certifications Schedule access certifications for AI platforms and their associated entitlements on a fixed cadence.
With 52% of security leaders already expecting AI decision-making power to shift toward platform and infrastructure teams, access policy will need to move closer to operations and away from one-time approval gates?
👉 Read Saviynt's post on governing Claude and Kiro access from day one →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 5:39 pm
A few things worth adding from our research at NHI Mgmt Group.
AI platform access governance is now a lifecycle problem, not a point-in-time approval problem. The important shift is that AI tools can act, not just store data. That means entitlements, approvals, certifications, and revocation all have to be managed as a continuous process. Organisations that treat AI access as a one-time onboarding event will miss the moment when tools start accumulating authority beyond the original use case. The practitioner conclusion is straightforward: govern AI access continuously or accept governance drift.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, which helps explain why governance lags adoption.
A question worth separating out:
Q: When does AI access become too risky to leave unmanaged?
A: AI access becomes too risky to leave unmanaged as soon as the platform can touch sensitive data or perform actions on behalf of users. At that point, any excess entitlement increases the blast radius of mistakes, misuse, or drift. Teams should put approval, scope limits, and recurring certification in place before those capabilities are operational.
👉 Read our full editorial: AI platform access governance starts at day one, not audit time
