Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI compliance and runtime drift: what changes for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI compliance frameworks built for static or generative systems are struggling as agentic systems expand tool access, shift scope at runtime, and create audit gaps across the AI lifecycle, according to Lasso Security. The core failure is assumption collapse: policies that presume permissions, intent, and accountability stay stable long enough to be reviewed no longer fit autonomous behaviour.

NHIMG editorial — based on content published by Lasso Security: AI Compliance Framework: Key Components, Challenges & Best Practices

By the numbers:

Questions worth separating out

Q: How should organisations govern AI systems that can change scope at runtime?

A: They should treat runtime behaviour as part of the compliance boundary.

Q: Why do agentic AI systems break traditional compliance frameworks?

A: Because traditional frameworks assume permissions, intent, and accountability remain stable long enough to be reviewed.

Q: What do security teams get wrong about AI compliance evidence?

A: They often collect evidence after the fact instead of building it into the control path.

Practitioner guidance

  • Inventory every AI system and tool connection Create a live catalogue of models, agents, MCP connections, shadow deployments, and delegated integrations.
  • Map permissions to intended use, not only allowed actions Review whether each system's live behaviour still matches the business purpose for which it was approved.
  • Collect runtime evidence as a control requirement Store agent action logs, classification records, remediation trails, and oversight checkpoints in one evidence path.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • The regulatory mapping that links AI compliance duties to EU AI Act, GDPR, and ISO/IEC 42001 obligations.
  • The step-by-step control model for discovery, classification, testing, and runtime enforcement across the AI lifecycle.
  • The mechanics of continuous evidence collection for agent actions, remediation trails, and oversight checkpoints.
  • The article's examples of how agentic systems drift from approved intent even when individual actions appear permitted.

👉 Read Lasso Security's analysis of AI compliance frameworks for agentic systems →

Agentic AI compliance and runtime drift: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI compliance has become an identity governance problem, not just a legal one. Once an agent can act across tools, data, and delegated workflows, the question is no longer whether a policy exists. The question is whether identity, privilege, and audit controls still describe the system after it starts operating. That makes AI compliance inseparable from NHI governance, runtime access scope, and evidence capture. Practitioners should stop treating AI compliance as a separate policy stack and start treating it as part of the identity control plane.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.

A question worth separating out:

Q: Who is accountable when an autonomous AI system acts outside its intended scope?

A: Accountability must be assigned before the system goes live, and it has to include ownership for runtime behaviour, not just deployment. If an AI system can cross tool boundaries or spawn delegated actions, governance has to name the responsible control owner and the escalation path in advance.

👉 Read our full editorial: AI compliance frameworks are breaking under agentic runtime drift



   
ReplyQuote
Share: