This article is Part 3 of GCA’s three-part Navigate 2025 Perspectives Series, exploring how identity, AI, and governance are reshaping enterprise security.
Over the past year, AI agents have become a regular topic of conversation among business and security leaders I speak with. Some are still exploring what agents might mean for their organization, while others have been running production agents for years. With the market consistently favoring trends that improve profitability and efficiency, the question for most leaders isn't whether to adopt AI agents, but when.
A keynote speaker at SailPoint Navigate called AI agents "fundamentally more unique than any other identity we've ever seen." As an early AI adopter, I agree - and we're already witnessing the transformation. This statement brought to mind a conversation with a CISO at an HR SaaS company who shared her vision of evolving the CISO role into a profit center. Rather than being perceived as the "rule master" limiting organizational flexibility, she positioned cybersecurity leadership as the true enabler of workforce productivity and organizational protection.
A central theme that emerged at Navigate was that most organizations aren’t yet ready for AI agents. SailPoint introduced new capabilities to connect with platforms like Microsoft and Amazon, which are already hosting these agents. Sessions explored emerging requirements for data governance. The underlying message, which felt almost like a plea, was to get ahead of the AI agent wave before it crests.
The reality is that cybersecurity leaders who proactively establish AI agent frameworks now can directly influence their organization's competitive velocity. This isn’t an initiative to postpone until after traditional Identity & Access Management (IAM) priorities or the next compliance cycle. It's a priority that deserves focused attention now.
Organizations that move quickly to develop strong frameworks for AI agent policies and management will enable broader adoption across the enterprise and directly impact profitability and market position. Those that wait for best practices to take shape risk falling behind more agile competitors. For a closer look at how AI is reshaping enterprise access models, explore Zero Trust for AI.
Historically, HR has led talent acquisition and management, but that dynamic is now shifting toward AI. While HR will remain central to workforce strategy, it won’t oversee agent policies, procurement, or governance. Those responsibilities fall to IT and cybersecurity. Given the significant risks these agents introduce, the framework for managing them rightly belongs within the cybersecurity function.
Imagine your organization operating with a clear playbook for AI agents - one that outlines how requests are made, which platforms are approved, what data can be accessed, and what capabilities are permitted. Within that framework, teams across the business could design and deploy agents confidently while maintaining security and compliance.
Take, for example, a marketing team member who envisions an agent to automate prospect outreach. It might pull data from Salesforce, reference internal knowledge bases, craft personalized emails, and send them through Exchange. Before that agent goes live, cybersecurity will need to evaluate it. Can it connect to Salesforce? Can it send emails? Can it access sensitive repositories?
This is precisely where cybersecurity leadership can shift from gatekeeper to growth enabler. By dedicating time now to define the tools, rules, and guardrails for AI agents, organizations can provide a clear set of approved “ingredients” for innovation. The result is faster enablement, fewer security bottlenecks, and a governance model that accelerates rather than restricts enterprise progress.
Each week this work is delayed, experimentation continues elsewhere. Business units are already testing AI agents, and shadow AI is quickly becoming the new shadow IT. The real question is whether that activity is happening within a secure framework or in an ungoverned space that increases risk and slows legitimate innovation.
The organizations that move early to define their AI agent governance models will gain more than control. They’ll gain insight into how intelligence flows through their business. The next generation of cybersecurity leaders won’t just protect the organization; they’ll shape how digital work itself is done.
With vendors like SailPoint now extending their platforms to include AI agent identities, the need for governance models that manage requests, permissions, and oversight is quickly moving from concept to reality.
AI agents represent both a new type of identity and a new layer of operational responsibility. As organizations advance their interoperability strategies through frameworks like the Shared Signals Framework, treating AI agents as managed identities with lifecycle management, access oversight, and behavioral accountability will separate those that adapt from those that react.
As AI agents assume higher-value or privileged roles, integrating Privileged Access Management (PAM) principles into governance frameworks will be key to maintaining accountability.
The future of cybersecurity leadership is not about restriction but orchestration. Those who build the foundation for responsible AI enablement today will be the ones defining how securely, and how successfully, their organizations grow tomorrow.