Notifications
Clear all
Topic starter
14/05/2026 6:58 pm
TL;DR: AI agents are increasingly logging into systems, accessing sensitive data, and acting on behalf of users, with SailPoint citing research that 80% of organisations have already seen agents act beyond intended scope and 96% of technology professionals view them as a growing security threat. Governance now has to track ownership, permissions, and purpose, not just accounts and entitlements.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
- Companies using AI governance put over 12x more AI projects into production.
Questions worth separating out
Q: How should security teams govern AI agents that act on behalf of users?
A: Treat each agent as a non-human identity with an owner, a defined purpose, and a bounded permission set.
Q: When does AI agent access become too risky to leave standing?
A: Standing access becomes too risky when the agent can read sensitive data, trigger downstream actions, or operate across multiple systems without a tight task boundary.
Q: What is the difference between human IAM and AI agent governance?
A: Human IAM assumes relatively stable roles and predictable behavior.
Practitioner guidance
- Inventory every AI agent as an NHI asset Create a living register that includes agent name, system of record, human owner, purpose, and the data domains it can access.
- Tie agent access to explicit purpose and task scope Remove standing access wherever possible and require re-approval when an agent changes function, data scope, or deployment environment.
- Review Unity Catalog and adjacent permissions together Do not assess Databricks access in isolation.
Teams should expect more scrutiny of where agents are created, not only where they are approved?
👉 Read SailPoint's blog on Databricks agent governance and AI identity control →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 7:01 pm
AI agent governance is becoming an NHI control problem, not a niche AI feature. Once agents can authenticate, query data, and act independently, they inherit the same governance burdens as service accounts and privileged workloads, but with less predictability. That makes discovery, ownership, and entitlement review core controls rather than optional hygiene. Practitioners should treat agents as a formal NHI class and govern them accordingly.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can organisations reduce the blast radius of AI agents?
A: Limit each agent to the minimum data, tools, and actions required for a specific task. Pair that with continuous review of effective permissions and revoke access when the task ends or the workflow changes. The goal is to keep autonomy narrow enough that misuse does not spread across adjacent systems.
👉 Read our full editorial: Databricks agent governance exposes the limits of IAM visibility
This post was modified 4 weeks ago by Mr NHI
