May 27, 2026
Orienting frame
The CISO approved the AI roadmap. The identity architecture underneath it was built for a world where every credential had a human behind it. That gap is now an audit exposure and an accountability problem, but most CISOs haven't been asked the pointed version of the question: who owns the identity lifecycle for your AI agents, and can your access review process actually see them? Some CISOs are already tracking non-human identity sprawl and know the answer is uncomfortable. Most assume their existing tooling covers it. Your first question tells you which one you're sitting across from.
Q1. "If an auditor asked you tomorrow to produce an access log for every AI agent touching your systems, how confident are you in what you'd hand over?"
Why this works. CISA's Zero Trust Maturity Model requires agencies to govern non-person entities with the same lifecycle rigor as human users. A CSA survey (commissioned by Strata Identity, n=285) puts the share of security leaders who doubt they could pass an agent-focused compliance audit at 84%. Framing the question around an auditor makes that number personal. In SLED accounts, the pressure source is different but the gap is the same: state data privacy obligations and board-level risk inquiries create audit exposure even without an IG. (Surfaces the visibility gap OIG addresses.)
What to listen for:
- 🔴 Hot: "We ran a service account audit last quarter and found credentials no one could trace" or "The IG flagged this and we didn't have a clean answer." This CISO has already felt the gap scored against them.
- 🟡 Warm: "That's on our roadmap once we finish the human IAM consolidation." Read this carefully. A CISO who can describe the NHI problem specifically but has sequenced it behind human IAM is resource-constrained — and the account has a timeline you can work with. A CISO who uses the human IAM project as a reason to defer thinking about NHI is telling you the problem hasn't hit their desk. Different accounts, different next steps.
- ⚪ Cold / wrong door: "That's really an IT operations question." The CISO has either delegated NHI governance or hasn't claimed it. Find the IT Director and ask directly: "Who owns the lifecycle for service accounts and AI agent credentials in your environment?" The answer tells you whether governance is delegated or orphaned before you circle back.
Q2. "When one of your AI agents does something outside its intended scope, who gets the call — and how fast do you find out?"
Why this works. A CSA survey (commissioned by Zenity, n=445) found 53% of organizations have experienced agents exceeding intended permissions. You're probing two things at once: whether ownership is assigned or ambiguous, and whether detection is real-time or retrospective. A CISO with clear answers to both has an accountability structure. A CISO who hesitates has a policy document. (Maps to the governance gap OIG addresses.)
What to listen for:
- 🔴 Hot: "We've had agents act outside their scope — nothing catastrophic, but things we didn't authorize." Or: "Honestly, we probably wouldn't know for hours." Either confirms an active, unresolved accountability void.
- 🟡 Warm: "We have a policy, we just haven't operationalized it." Strategy without enforcement. Per the same CSA data, only 31% have formally adopted governance policies while another 50% have partially documented ones. This CISO is in the gap between documentation and control.
- ⚪ Cold / wrong door: "We don't have any AI agents yet." Probe before accepting: "Are any of your program offices or business units using AI-assisted workflow tools that connect into your environment?" The CSA survey found 54% of organizations report unsanctioned agents already present. If genuinely none exist, the account lacks the precondition. Note it and revisit in two quarters.
If the CISO starts describing specific agent authentication architecture — how tokens are scoped, what their detection pipeline looks like, which systems agents authenticate against — stop discovery. Document what they described and bring in the SE. Your message: "CISO confirmed active agent permission exceedance and walked me through their auth stack. They need a technical governance conversation, not more questions."
Q3. "Do your access reviews today cover non-human identities — service accounts, API keys, AI agents — or do they stop at human users?"
Why this works. The CISA ZTMM Optimal stage requires automated lifecycle management with just-enough-access controls for all entities, including non-person entities. NSA guidance acknowledges that non-person entity identity management remains "locally defined using ad-hoc procedures." For SLED accounts, the compliance framework on the wall varies, but the structural fact underneath is constant: access review tooling was designed to certify human entitlements and cannot see agent identities. If the CISO's compliance posture has a blind spot here, their current tooling structurally cannot cover it. (Surfaces the gap ISPM addresses.)
What to listen for:
- 🔴 Hot: "Our access reviews cover humans. We haven't figured out what to do about the agents yet." Or: "We're logging agent activity, but it doesn't look like human activity and our tools don't know what to do with it." The gap, stated plainly.
- 🟡 Warm: "We're covered — everything goes through our PAM platform." PAM handles credential vaulting. Identity governance sits outside its coverage boundary. This CISO trusts a tool that solves an adjacent problem to the one they'll be audited on. Worth noting in your call notes, not correcting in the meeting. The diagnostic value is high: the account has the precondition (privileged non-human credentials exist) but the CISO misunderstands the coverage boundary of their current stack.
- ⚪ Cold / wrong door: "We're mid-migration and our whole identity architecture is changing." This may genuinely not be the moment. Flag for the SE and requalify in 60–90 days.
Things to follow up on...
- NIST agent standards initiative: NIST launched its AI Agent Standards Initiative in February 2026, proposing to adapt OAuth 2.0 and Zero Trust frameworks for AI agents — the architectural direction is set even before final control overlays ship.
- Shadow agents already present: A CSA/Token Security survey found 82% of enterprises have unknown AI agents running in their infrastructure, which means the CISO who says "we don't have agents yet" may simply not have visibility into what's already deployed.
- Retirement debt is real: Only 21% of organizations have formal decommissioning processes for AI agents, per the same CSA/Token Security survey, leaving orphaned credentials and permissions that accumulate long after agents outlive their purpose.
- Microsoft Entra Agent ID scope: Microsoft's Entra Agent ID is now in public preview for all Entra customers, but its native governance covers agents built on Microsoft platforms — third-party agents require SDK integration, a distinction worth probing in accounts where the CISO assumes Entra already handles it.