TL;DR: Identity governance for AI agents now depends on lineage, ownership, and blast-radius control, not just inventory, as SailPoint’s intent to acquire Entro centers on deeper discovery, context mapping, and real-time protection for non-human identities, including more than 1,000 NHI and agent types and 70 enterprise sources, according to SailPoint.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- This unified capability brings out-of-the-box coverage for over 1,000 NHI and agent types, plus the discovery of over 1,200 non-human identity types.
- Covering more than 70 critical enterprise sources across cloud environments, CI/CD pipelines, and developer tools, the platform extends governance into the systems where machine identities operate.
Questions worth separating out
Q: How should security teams govern non-human identities that span cloud, CI/CD, and developer tools?
A: Security teams should govern non-human identities by mapping each credential to an owner, an approved purpose, and a defined operational boundary.
Q: Why does ownership attribution matter for machine identity risk?
A: Ownership attribution matters because a discovered token or key is not governable until someone is accountable for it.
Q: What do security teams get wrong about NHI discovery?
A: Teams often treat discovery as the end state when it is only the first step.
Practitioner guidance
- Map every non-human identity to a human owner Require an accountable owner, business purpose, and review path for each machine identity before it is promoted to production.
- Build entitlement graphs around access context Document which tools, APIs, cloud services, and credentials each identity can reach so you can calculate blast radius and isolate overreach quickly.
- Pair certification with runtime monitoring Use access reviews for governance evidence, then layer behavioural monitoring to catch over-privileged access and scope drift between review cycles.
What's in the full announcement
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How SailPoint describes the planned Entro integration across discovery, ownership attribution, and NHIDR capabilities.
- The specific NHI and agent categories the combined platform says it will cover, including keys, tokens, certificates, and credentials.
- The vendor's own framing of policy-driven governance across cloud environments, CI/CD pipelines, and developer tools.
- The exact product positioning behind Agentic Fabric and how SailPoint says the acquisition extends it.
👉 Read SailPoint’s blog on its planned Entro acquisition and AI agent governance →
SailPoint’s Entro deal: what changes for NHI and AI agents?
Explore further
Discovery is no longer the hard part of NHI governance, context is. The article’s core point is that organisations already have enough tooling to find machine identities, but not enough discipline to explain what those identities are actually entitled to do. That changes the governance problem from enumeration to interpretation, which is where most identity programmes are still weak. Practitioners should treat contextual lineage as the control boundary, not the asset list.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
A question worth separating out:
Q: Who should be accountable when a machine identity is over-privileged?
A: Accountability should sit with the human owner of the identity and the team that approved its operational scope. Governance fails when machine access is treated as ownerless infrastructure, because every privileged credential still exists inside a business process that can be reviewed and corrected.
👉 Read our full editorial: SailPoint’s Entro acquisition signals a shift in NHI governance