Governing AI Agents: From Enterprise Risk to Strategic Asset

The proliferation of AI agents in the enterprise has moved from theoretical to practical at a remarkable pace. These agents, whether developed internally or licensed, are increasingly integrated into core business workflows. While they promise substantial gains in automation and productivity, they also introduce a new and complex class of security risks that demand immediate attention.

The core challenge is not whether to adopt AI agents, but how to govern them effectively. A disciplined approach to balancing innovation with security is essential for any organization looking to leverage AI without exposing itself to unacceptable risk.

Recent research highlights the urgency of this issue. A comprehensive study found that 82% of companies are already using AI agents, with 53% acknowledging they access sensitive information daily. This rapid adoption, often occurring without adequate oversight, creates significant vulnerabilities. The imperative is clear: organizations must establish robust governance frameworks to manage this new digital workforce.

The AI Agent Lifecycle Problem: Discovery and Ownership

The question of ownership presents another critical hurdle. AI agents are often introduced into workflows without clear lines of accountability. When the developer or project lead who introduced an agent leaves the organization, the enterprise is left with an orphaned agent. This creates a dangerous gap in both accountability and security, as there is no designated owner responsible for its maintenance, updates, or de-provisioning.

One of the most significant challenges in managing AI agents is their lifecycle. In complex, sprawling enterprise environments, manual tracking of every deployed agent is simply not feasible. For governance to be effective, any newly created, licensed, or deployed agent must be automatically discoverable. Without this foundational capability, organizations risk creating a shadow ecosystem of ungoverned agents operating outside of security and compliance controls.

The question of ownership presents another critical hurdle. Industry trends indicate that an AI agent's ownership typically changes hands four times during its first year. The initial phase involves executive ownership and sponsorship, where business leaders set the objectives and define the automation goals within a specific group. Once a proof of value (POV) or proof of concept (POC) is achieved, ownership typically transitions to the AI team, which is responsible for final training and model refinement. Next, the Cloud Operations team assumes control to deploy the agent and provide ongoing monitoring. Finally, the Application and Data Security teams step in to ensure compliance with organizational policies and the proper enforcement of data security standards throughout the agent's operational lifecycle.

When AI agents are introduced into workflows without clear lines of accountability, gaps emerge—particularly if a project lead or developer departs the organization, leaving behind orphaned agents. This creates a dangerous lapse in both accountability and security since there may be no designated owner responsible for maintenance, updates, or de-provisioning.

To mitigate this, formal lifecycle management protocols are not just a best practice; they are a necessity. These protocols must include clear ownership assignment from the moment of an agent's creation and define procedures for transferring ownership when personnel changes occur. This ensures that every agent remains an asset under control, rather than becoming an unmanaged liability.

Defining Security Guardrails, Not Guesswork

Effective AI agent governance requires clearly defined security parameters. Organizations must answer critical questions about each agent's operational boundaries:

• Where is the agent authorized to operate?
• How are its permissions configured and enforced?
• Which data sources, applications, and systems can it access?
• Who is responsible for overseeing its actions and maintaining compliance over time?

Without definitive answers to these questions, the potential for risk multiplies. An agent with overly broad permissions could access and exfiltrate sensitive data, disrupt critical systems, or be manipulated by malicious actors to compromise the enterprise.

The solution is centralized governance, established through cross-functional collaboration. As with established compliance frameworks such as GDPR, visibility begins with comprehensive logging of agent behavior—a prerequisite for implementing effective compliance controls as AI agents become pervasive. Teams from identity, security, cloud operations, and AI development must work together to create and enforce a unified set of rules, permissions, and frameworks. This ensures that AI agents operate with both the agility required to deliver value and the accountability needed to maintain security.

The Strategic Role of Identity in AI Governance

The rise of AI agents provides an opportunity for the identity security function to serve as a strategic connector across the enterprise. By establishing regular alignment with security and cloud teams, identity can ensure that provisioning, oversight, and policy enforcement remain consistent for all identity types, including AI agents.

Security's focus should be on ensuring each agent is appropriately secured, while identity provides the necessary visibility through comprehensive inventories, access certifications, and detailed audit trails. This cross-functional synergy strengthens the overall security posture and improves operational efficiency.

The value of a mature identity security program is underscored by research showing that Identity and Access Management (IAM) provides the highest ROI among security domains, at 30%. By investing in identity governance for AI agents, organizations not only mitigate risk but also maximize the return on their broader security investments. As AI models become more sophisticated and increasingly capable of working together, a strong identity foundation will be crucial for orchestrating their collective tasks securely.

Innovation Demands Accountability

AI agents are no longer a peripheral technology; they are embedded in the core of the modern enterprise. Their capacity to accelerate workflows and enhance productivity is clear, but so are the risks that emerge from a lack of governance.

Success in this new era will be defined not by the speed of adoption alone, but by the discipline of the governance that accompanies it. Without unified visibility and control over AI agents, the gap between identity context and security context will continue to widen, leaving organizations exposed. Enterprises that successfully close this gap will be best positioned to capture the transformative benefits of AI while maintaining the trust and security that their business demands. The path forward requires innovation balanced with accountability.

About the Author: Matt Fangman is an accomplished technical leader with over 26 years of experience in enterprise software, cloud services, AI, data solutions, and strategic integration. His recent roles at Microsoft and SailPoint have focused on driving innovation through AI-driven transformations, data maturity initiatives, and modern workplace solutions.

As Field CTO at SailPoint (since February 2025), Matt is responsible for aligning with field sales and technical teams to lead strategic account engagements. He specializes in integrating SailPoint's identity governance platforms with Microsoft technologies, with a focus on pioneering AI agents and multi-agent systems to enhance security and operational efficiency. Matt leverages his deep understanding of both SailPoint's solutions and the broader Microsoft ecosystem to create impactful solutions for SailPoint's customers.

Prior to joining SailPoint, Matt was the Data & AI Leader for strategic accounts within Microsoft's manufacturing segment. In this role, he managed Microsoft's largest clients, guiding them in the adoption of advanced data and AI capabilities. He led a specialized team, working closely with engineering partnerships to deliver market-aligned solutions that addressed complex industry challenges and accelerated customer maturity in the Data & AI space.

Previously, Matt served as CTO for Microsoft's Modern Workplace business in the US Enterprise segment, which included Office 365, Enterprise Mobility Suite, and Windows offerings. He orchestrated sales and go-to-market strategies, leading a large organization of sales professionals, managers, and support teams. Under his leadership, the organization generated $16.5 billion in annual revenue through technical innovation and ecosystem enablement.

Matt's extensive experience and proven track record make him a valuable asset to SailPoint, driving strategic initiatives and fostering innovation within the identity governance landscape.