Notifications
Clear all
Topic starter
14/05/2026 1:49 pm
TL;DR: DORA assessors want demonstrable operating effectiveness, not static policies, and agentic AI makes that harder because autonomous actions require identity-traceable logs, contextual evidence, and continuous monitoring, according to Teleport. The compliance burden now shifts from documenting controls to proving that humans and agents stayed within approved scope at runtime.
NHIMG editorial — based on content published by Teleport: Guide: DORA Compliance Evidence for Agentic AI
By the numbers:
- The Digital Operational Resilience Act began enforcement on January 17, 2025, and supervisors are now in active supervision.
- The four-hour initial notification rule in Article 19 requires proof that the reporting clock starts immediately upon classification.
Questions worth separating out
Q: How should security teams prove DORA compliance for AI agents that act autonomously?
A: They should require identity-traceable evidence for every high-risk agent action, including the initiating prompt, approval path, tool use, execution window, and revocation record.
Q: When does just-in-time access help most in DORA evidence collection?
A: JIT access helps most when teams need to prove that elevated privileges existed only long enough for a specific task and were then removed.
A: Design effectiveness asks whether a control should satisfy the requirement on paper.
Practitioner guidance
- Map every high-risk workflow to an identity and an evidence owner Define which human, service account, or agent identity is responsible for each regulated action, then assign one owner for the audit trail, approval record, and retention requirements.
- Replace standing admin access with task-scoped JIT elevation Use just-in-time access for privileged human and non-human users, and require automatic revocation at the end of the approved window so the log shows a clean request-to-revoke chain.
- Capture agent decision context, not just system events Record the initiating prompt, the plan generated before execution, the tools invoked, and the approval path for any autonomous action that could affect regulated systems.
Teams should align evidence retention with privileged access lifecycle controls and the NIST AI Risk Management Framework rather than treating agent logs as an isolated technical issue?
👉 Read Teleport's guide to DORA compliance evidence for agentic AI →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 1:49 pm
A few things worth adding from our research at NHI Mgmt Group.
Identity traceability is now a DORA control objective, not just an IAM preference. The article is correct to frame evidence as more than recordkeeping because regulators need to see how an action maps back to a specific identity and approved scope. That is especially true when agents operate under service accounts or shared credentials, where attribution can disappear unless the organisation deliberately engineers it back in. Practitioners should treat identity traceability as part of resilience evidence, not an after-the-fact reporting exercise.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Why do AI agents create more audit risk than traditional service accounts?
A: AI agents can choose actions dynamically, call tools unexpectedly, and chain multiple steps without direct human intervention. That makes it harder to explain intent, scope, and authorization from ordinary logs alone. Auditors need a reconstruction of decisions, not just a record that an action happened.
👉 Read our full editorial: DORA evidence for agentic AI demands identity-traceable audit trails
