{"id":5103,"date":"2026-04-10T13:38:15","date_gmt":"2026-04-10T13:38:15","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/04\/10\/governance-gaps-emerge-as-ai-agents-drive-76-increase-in-nhis\/"},"modified":"2026-04-10T13:38:15","modified_gmt":"2026-04-10T13:38:15","slug":"governance-gaps-emerge-as-ai-agents-drive-76-increase-in-nhis","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/10\/governance-gaps-emerge-as-ai-agents-drive-76-increase-in-nhis\/","title":{"rendered":"Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

The SANS Institute has warned that the race to incorporate AI into enterprise workflows threatens to outpace security efforts, after revealing widespread credential hygiene failings.<\/p>\n

The security training and research organization presented the findings as part of its 2026 SANS State of Identity Threats & Defenses Survey<\/em>, which is based on interviews with over 500 security professionals\u00a0globally.<\/p>\n

It revealed that three-quarters (76%) of organizations report growth in non-human identities (NHIs) such as service accounts, API keys, automation bots\u00a0and workload identities.<\/p>\n

A growing number of these are tied to agentic AI: 74% of organizations are already using AI agents or automations that require credentials, SANS Institute said.<\/p>\n

This has led to the number of NHIs operating within organizations quietly doubling or tripling, the report claimed.<\/p>\n

Read more on agentic AI risk: #Infosec2025: Concern Grows Over Agentic AI Security Risks<\/em><\/p>\n

However, agentic AI in particular represents a potentially new security risk few enterprises seem able to manage.<\/p>\n

Agents require credentials and access permissions to work autonomously, and are often granted privileged access to interact directly with critical infrastructure and data, SANS Institute said.<\/p>\n

However, unlike traditional NHIs\u00a0which follow fixed logic, agentic AI interprets instructions and can take unpredictable actions \u2013 meaning they behave more like an over\u2011privileged insider, but operating at machine speed. There\u2019s also a risk of hallucination.<\/p>\n

Forrester warned last year that an agentic AI deployment will cause a publicly disclosed data breach by the end of 2026, and called for organizations to follow a \u201cminimum viable security\u201d approach to mitigate associated risks.<\/p>\n

AI Governance Is Lacking<\/h2>\n

Most organizations appear to lack a coordinated security-first approach to AI deployment, according to the SANS Institute study.<\/p>\n

It found that 92% fail to rotate machine credentials on a 90-day cycle, fearing that this might break service accounts. Most (59%) rotate fewer than half of their NHI credentials quarterly, while some (15%) don\u2019t even know their rotation rate.<\/p>\n

A further 5% don\u2019t know if they\u2019re running agentic AI in their organization at all, the report noted.<\/p>\n

Another challenge highlighted in the report is that many organizations rely on manual access reviews, ticket\u2011based provisioning, and periodic rotation, which simply don\u2019t scale when environments have large volumes of NHIs operating at machine speed across DevOps, cloud and SaaS systems.<\/p>\n

Richard Greene, certified instructor at\u00a0SANS\u00a0Institute, warned that organizations are giving AI decision-making power faster than they\u2019re building governance frameworks to control it.<\/p>\n

\u201cWe\u2019ve already seen what happens when non\u2011human identities scale without guardrails, and agentic AI is moving even faster,\u201d he added.<\/p>\n

\u201cThe early signs of governance are encouraging \u2013 nearly four in ten organizations now use human in-the-loop approvals for AI agent actions \u2013 but the real challenge is staying ahead of these systems as they shift from pilots to core operations.\u201d<\/p>\n

The SANS Institute recommended adoption of secrets vaults, automated rotation and scoped least-privilege access as a bulwark against agentic AI risk, but emphasized the importance of scaling these efforts to match the continued growth of NHIs.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

The SANS Institute has warned that the race to incorporate AI into enterprise workflows threatens to outpace security efforts, after revealing widespread credential hygiene failings. The security training and research organization presented the findings as part of its 2026 SANS State of Identity Threats & Defenses Survey, which is based on interviews with over 500<\/p>\n","protected":false},"author":2,"featured_media":5104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5103-db832b9d-6fd8-4644-9d63-90bff057c381-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5103"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5104"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5103"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}