Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI disclosure and oversight: what IAM teams should prepare for


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: A Harris Poll survey of 313 U.S. technology decision makers found that 93% want companies to disclose AI tools and agents, 90% support federal disclosure requirements for high-risk AI systems, and 91% say human oversight is critical, according to Collibra. The governance gap is no longer about adoption speed alone, but about accountability, verification, and trust boundaries that existing programmes were not built to enforce.

NHIMG editorial — based on content published by Collibra: More Than 90% Agree that Companies Should be Required to Disclose Use of AI Agents

By the numbers:

Questions worth separating out

Q: How should organisations disclose the use of AI tools and agents?

A: Organisations should maintain an inventory of approved AI tools and agents, record who owns them, and document what data and decisions they influence.

Q: Why does human oversight matter for AI governance?

A: Human oversight matters because AI outputs can look confident while still being wrong, biased, or incomplete.

Q: How can security teams tell whether AI governance is working?

A: Teams can measure whether AI systems are documented, whether high-risk use cases have named owners, and whether review steps are actually followed before decisions are executed.

Practitioner guidance

  • Inventory AI tools and agents by owner and access path Build a living register of sanctioned and unsanctioned AI use, including the data sources, accounts, and workflows each system can touch.
  • Define mandatory human review points for high-impact AI output Require review before AI-generated output can affect access decisions, compliance determinations, or customer-facing actions.
  • Add AI literacy to governance roles and recertification criteria Update IAM, privacy, and security role profiles so reviewers can identify AI risk, challenge outputs, and understand where AI changes access and accountability assumptions.

What's in the full report

Collibra's full research covers the survey detail this post intentionally leaves for the source:

  • The full breakdown of survey responses by decision-maker role, useful if you need to segment governance priorities across privacy, data, and AI functions.
  • The exact methodology behind the Harris Poll sample, including the confidence interval and respondent profile, for teams that need citation-ready evidence.
  • Additional findings on AI oversight, transparency, and federal regulation that can support board, legal, and policy discussions.
  • The hiring and literacy questions in full, which are useful if you are translating governance expectations into role design.

👉 Read Collibra's survey findings on AI disclosure, oversight, and governance →

AI disclosure and oversight: what IAM teams should prepare for?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Disclosure is becoming the minimum viable control for AI governance. When 93% of decision makers want companies to disclose AI tools and agents, the market is signalling that hidden AI use is no longer acceptable in regulated or high-trust environments. Disclosure creates the starting point for monitoring, documentation, and accountability, which are prerequisites for any serious governance programme. Practitioners should treat undisclosed AI use as an identity visibility problem, not a communications issue.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who is accountable when AI use is not disclosed?

A: Accountability should sit with the business owner, the system owner, and the governance function that approved or failed to inventory the AI use. If an organisation cannot name those parties, it does not have a controllable governance model. It has an exposure problem that will eventually surface in audit or incident response.

👉 Read our full editorial: AI disclosure and governance expectations are rising fast



   
ReplyQuote
Share: