TL;DR: The central issue is that agents chain tool calls and act within delegated credentials faster than human review cycles can govern, which makes static policy and perimeter controls insufficient, as shown by Pillar Security’s SAIL 2.0, which extends its Secure AI Lifecycle into a seven-phase operating model for AI agents, adding 91 mapped risks, three deployment zones, and standards mappings across EU AI Act, ISO 42001, OWASP, and NIST AI RMF.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- The catalog grows from more than 70 risks in V1 to 91, each with a stable SAIL ID, a concrete example, the assets affected, mitigations, and standards citations.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern AI agents that can chain tool calls across systems?
A: Treat the agent as a governed identity with lifecycle ownership, action-level policy, and runtime termination controls.
Q: Why do AI agents complicate existing IAM and PAM controls?
A: Because those controls assume a stable identity and a reviewable access window.
Q: What breaks when AI agents inherit the creator’s access without review?
A: Maker-identity inheritance breaks the separation between who built the agent and who should be accountable for its access.
Practitioner guidance
- Inventory agent identities by lifecycle stage Map every AI agent to build, deploy, operate, and retire ownership so no agent remains live without an accountable controller.
- Separate controls by execution zone Apply different guardrails to code and pipeline artefacts, cloud agents, and endpoint agents because each zone has a distinct credential context and blast radius.
- Enforce action-level policy on tool use Validate each agent action, not just the initial session, when tools, connectors, or MCP servers can chain into harmful sequences.
What's in the full announcement
Pillar Security's full blog covers the operational detail this post intentionally leaves for the source:
- The full seven-phase SAIL 2.0 lifecycle with phase-by-phase risk examples and control mapping.
- The complete list of 91 mapped risks, including the new agentic entries and their standards citations.
- The zone-by-zone breakdown for code, cloud, and endpoint agents with practical ownership implications.
- The SAIL Skill outputs for roadmap building, maturity assessment, and vendor-assessment questions.
👉 Read Pillar Security's guide to SAIL 2.0 for secure AI agents →
SAIL 2.0 and secure AI agents: what changes for IAM teams?
Explore further
Static policy is no longer a sufficient control boundary for AI agents. SAIL 2.0 correctly treats agentic behaviour as a lifecycle and runtime problem, not a document-management problem. When an identity can chain tool calls and make changes faster than human review can intervene, the security model has to govern actions, delegation, and retirement together. The practitioner conclusion is that policy alone cannot define trust for autonomous execution.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do organisations know if AI agent governance is actually working?
A: Look for evidence that every agent is inventoried, zoned, policy-checked at runtime, and retired with credentials revoked and triggers removed. If you cannot trace an agent from creation to decommissioning, governance is still partial. A working programme leaves an auditable identity trail, not just a policy document.
👉 Read our full editorial: SAIL 2.0 frames the operational gap in secure AI agent governance