Notifications
Clear all
Topic starter
02/06/2026 7:03 pm
TL;DR: AI governance breaks down when data is dispersed across SaaS, cloud, and on-prem environments, and when non-human identities can reach sensitive data faster than manual controls can track, according to Cyera. The practical shift is from policy-only governance to continuous discovery, permission right-sizing, and runtime protection as the baseline for control.
NHIMG editorial — based on content published by Cyera: What Keeps CDOs Up at Night: The Visibility Gap
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams govern AI agents that can access sensitive data?
A: Security teams should govern AI agents as privileged non-human identities with bounded purpose, short-lived permissions, and observable data paths.
Q: Why do AI workflows make traditional IAM controls less effective?
A: Traditional IAM controls assume slower change, clear ownership, and periodic review.
Q: What breaks when NHI permissions are not tied to data context?
A: When NHI permissions are detached from data context, organisations lose visibility into which identities can reach sensitive information, where that information moves, and whether the resulting access matches policy.
Practitioner guidance
- Implement continuous AI and NHI discovery Build an inventory that links AI tools, service accounts, and data repositories so teams can see who or what can reach sensitive information in real time.
- Right-size permissions before AI access expands Review machine identities for task scope, remove broad inherited roles, and align access with the minimum dataset and action set required for each workflow.
- Add runtime guardrails for data movement Block, redact, or route high-risk prompts and responses in-line when AI workflows try to move PII, intellectual property, or regulated content outside policy.
The next phase of NHI management is observable control, not policy intent?
👉 Read Cyera's analysis of AI governance, visibility gaps, and data control →
Explore further
02/06/2026 7:21 pm
AI governance has become an identity governance problem because machine access now moves faster than manual review. The article is strongest when it links governance failure to the pace of AI adoption, not to abstract policy design. Once service accounts, agents, and embedded copilots can touch production data at speed, the decisive question becomes whether identity permissions still match the data they can reach. Practitioners should treat NHI access as part of AI governance, not as a separate hygiene task.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding in the same report shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which underscores how thin current governance coverage remains.
A question worth separating out:
Q: How do organisations know whether AI governance is actually working?
A: AI governance is working when teams can prove that data access, identity permissions, and runtime controls line up with policy in practice. A useful test is whether the organisation can answer who accessed what, through which identity, and whether any out-of-policy movement was blocked or detected in time.
👉 Read our full editorial: AI governance is failing where data visibility and NHI access collide
