Notifications
Clear all
Topic starter
14/05/2026 12:43 pm
TL;DR: Identity governance built for human accounts cannot fully cover shadow NHIs, ephemeral credentials, and AI agents that create and use authority outside traditional review workflows, according to the source article. The practical shift is toward continuous authority governance, where effectiveness, visibility, and revocation matter more than campaign completion.
NHIMG editorial — based on research published by Astrix Security
Questions worth separating out
Q: How should organisations govern NHIs beyond quarterly access reviews?
A: Organisations should govern NHIs with continuous authority controls, not periodic certification alone.
Q: Why do AI agents create a governance problem for IAM teams?
A: AI agents create a governance problem because they authenticate and act as autonomous software entities with tool access.
Q: What is the difference between identity governance and authority governance?
A: Identity governance asks whether a person or account was reviewed and approved.
Practitioner guidance
- Define authority-bearing entities in scope Inventory human accounts, service accounts, API keys, tokens, certificates, and autonomous agents as one control population.
- Test runtime privilege, not just directory entitlements Validate what each entity can do after role inheritance, token scope, delegated permissions, and connected-system trust are applied.
- Capture time-bound evidence for issuance and revocation Require logs that show when credentials were created, when they were used, and when they were revoked.
Teams building their programme now should anchor it to the NHI Lifecycle Management Guide and the NIST AI Risk Management Framework?
👉 Read the source article on authority governance for NHIs and AI agents →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 12:44 pm
A few things worth adding from our research at NHI Mgmt Group.
Authority governance is the right control model for the machine era. Identity governance remains necessary, but it is no longer sufficient when authority can be created by code, inherited through integrations, and exercised by software agents. The discipline now needs to track creation, use, escalation, and revocation across every authority-bearing entity. Auditors and security leaders should treat authority as the audited object, not just the named identity.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface.
- Only 44% have implemented any policies to govern AI agents, even though 92% say governing them is critical to enterprise security.
A question worth separating out:
Q: When does continuous monitoring matter more than access certification?
A: Continuous monitoring matters more whenever access can change faster than the review cycle, especially with ephemeral credentials, APIs, and autonomous agents. In those settings, a quarterly or monthly certification can miss the period when the real risk occurs. Teams need monitoring that follows the authority lifecycle in near real time.
👉 Read our full editorial: Authority governance is replacing identity governance for NHIs
