Notifications
Clear all
Topic starter
22/06/2026 9:55 am
TL;DR: Enterprise identity programmes now have to govern both human access and machine behaviour: the article argues that IGA handles provisioning, certifications, and least privilege for people, while AI governance manages runtime actions, drift, and accountability for agents and bots, according to SecurEnds. The key gap is that valid credentials do not guarantee valid behaviour, so access control alone is no longer enough.
NHIMG editorial — based on content published by SecurEnds: AI governance and IGA are not the same discipline for identity
By the numbers:
Questions worth separating out
Q: How should security teams govern AI agents that use production credentials?
A: They should govern them as identities with both lifecycle and runtime controls.
Q: Why do NHIs and AI agents complicate traditional IAM programmes?
A: Because IAM was designed to answer who should have access, not how a non-human actor behaves once access exists.
Q: What breaks when access certification is used as the main control for AI governance?
A: Certification only validates that a permission was approved at a point in time.
Practitioner guidance
- Map AI agents into the identity inventory Record every agent, bot, and machine account in the same authoritative inventory used for NHIs and human access reviews.
- Separate entitlement governance from runtime governance Use IGA for provisioning, certification, and lifecycle control, then layer runtime monitoring and policy enforcement for agent behaviour, data access, and tool use.
- Reduce over-privilege on machine and agent credentials Review AI-linked service accounts and tokens for write access, broad data reach, and inherited permissions that are not essential to the declared use case.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- The article's side-by-side comparison of IGA and AI governance control points for teams building a roadmap.
- The article's framework references for SOX, HIPAA, SOC 2, PCI-DSS, ISO 27001, NIST AI RMF, and the EU AI Act.
- The article's practical sequencing guidance for moving from human IGA into NHI and AI governance.
- The article's discussion of runtime enforcement and accountability ownership for AI systems.
👉 Read SecurEnds' analysis of why AI governance is different from IGA →
AI governance vs IGA: where identity teams need to draw the line?
Explore further
22/06/2026 10:35 am
IGA and AI governance are structurally different disciplines, not adjacent labels for the same control set. IGA governs access entitlements at provisioning time, while AI governance governs behaviour at runtime. That distinction matters because the security failure changes once the actor can decide and act continuously. The implication is that organisations should stop treating AI runtime policy as a simple extension of access certification.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how far identity governance still has to mature.
A question worth separating out:
Q: Who should be accountable when an AI agent acts outside its intended scope?
A: Accountability should sit with the named business owner and the technical owner of the agent, not with the abstract fact that the system was deployed. Organisations need explicit ownership for provisioning, oversight, exception handling, and decommissioning so that misbehaviour has a clear governance path.
👉 Read our full editorial: AI governance and IGA are not the same discipline for identity
