Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SailPoint and Entro: what changes for NHI and AI agent governance?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: The strategic issue is not broader telemetry alone but whether identity programmes can govern agentic and machine access at runtime without losing lifecycle accountability, with SailPoint completing its acquisition of Entro Security to combine NHI discovery, credentials security, and lifecycle governance for human, machine, and AI agent identities, and Entro’s controls now available as standalone offerings.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern AI agents that use secrets and tools at runtime?

A: Security teams should treat AI agents as governed identities with explicit ownership, approved tool scope, and continuous monitoring of behaviour while they are active.

Q: Why do NHI programmes need secret lineage, not just secret discovery?

A: Secret discovery tells you what exists, but secret lineage tells you what is actually using the credential and for what purpose.

Q: What breaks when lifecycle reviews are the only control for non-human identities?

A: Lifecycle reviews miss active misuse because they operate on periodic cycles, while credential abuse, malicious tool calls, and posture drift can happen during execution.

Practitioner guidance

  • Map secrets to active downstream use Inventory where secrets, tokens, and certificates are embedded in codebases, CI/CD pipelines, and container registries, then tie each item to the application, script, or agent currently using it.
  • Separate lifecycle control from runtime monitoring Keep certifications, segregation of duties, and access reviews as periodic controls, but add continuous monitoring for token behaviour, anomalous tool calls, and prompt-related abuse.
  • Review AI agent governance as an identity problem Treat autonomous agents as governed identities with delegated actions, approved tools, and clear ownership, rather than as generic automation that can be managed only through workflow policy.

What's in the full announcement

SailPoint's full article covers the operational detail this post intentionally leaves for the source:

  • Standalone product framing for SailPoint Agentic Fabric and Entro NHI discovery as they now appear to customers
  • The specific secret types discovered in developer environments, including where they are found across CI/CD pipelines and container registries
  • Runtime security mechanics such as token behaviour monitoring, malicious AI tool call interception, and prompt threat handling
  • How the combined identity graph and credential lineage model is intended to support lifecycle management and certifications

👉 Read SailPoint's acquisition announcement covering Entro Security and agentic identity governance →

SailPoint and Entro: what changes for NHI and AI agent governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Unified identity governance is now a market requirement, not a roadmap ambition. The acquisition reflects a broader shift in which human, machine, and agent identities can no longer be managed as separate programmes. Organisations that keep discovery, lifecycle, and runtime defence in different silos will miss the control relationships between secrets, workloads, and agent actions. The practitioner conclusion is straightforward: identity architecture is moving toward a single governance fabric across all actor types.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a compliance and breach investigation blind spot according to AI Agents: The New Attack Surface report.

A question worth separating out:

Q: Who should own governance when humans, machines, and AI agents share one identity fabric?

A: Ownership should sit with the programme that can connect accountability, entitlement scope, and runtime behaviour across all actor types. Separate teams can still manage their specialties, but the governance model needs one control plane for lineage, approval, and monitoring. Without that, handoffs between human IAM, NHI, and agentic AI create gaps that attackers or misbehaving systems can exploit.

👉 Read our full editorial: SailPoint-Entro acquisition shifts NHI governance for agentic AI



   
ReplyQuote
Share: