There’s a shift underway. AI is no longer just generating content or assisting with analysis. It is making decisions, triggering workflows, calling APIs, and accessing sensitive systems. As Check Point’s recent acquisition (13 Feb 2026), Cyata’s founders put it, this isn’t just automation, it’s autonomy.
For CISOs in the UK and New Zealand, that changes the governance conversation completely.
According to PwC’s 2025 survey, 79% of organisations are already using AI agents. Yet fewer than half have fundamentally rethought how work is governed. That gap is where risk now sits.
The key issue isn’t hallucinations or model accuracy. As Cyata states clearly:
“Actions, not outputs, create risk.”
This is why AI governance framework discussions must now include identity, privilege, and accountability.
The Rise of Agentic Identity
Historically, security teams have managed:
- Human identities
- Service accounts
- Non-human identities (NHIs)
But AI agents do not fit neatly into any of those categories.
They reason.
They orchestrate tasks.
They access data with elevated privileges.
Cyata calls them “superhumans” capable of operating at scale, speed, and persistence far beyond traditional users.
The problem? Most organisations have no AI identity lifecycle management in place. There are no clear ownership models, no defined privilege boundaries, and no structured oversight for these “agentic identities”.
In regulated environments across the UK, particularly under NIS2 and operational resilience frameworks, that is becoming a material governance gap. The same themes are emerging in New Zealand, particularly across energy, legal, and retail sectors where operational continuity is critical.
Why Identity Is the Real AI Risk
Much of the early AI security market focused on prompt injection and output filtering. Important, but incomplete.
The bigger risk lies in:
- AI agents making unaudited API calls
- Autonomous workflow execution
- Accessing sensitive systems without just-in-time controls
- Acting without clear accountability
This is fundamentally an AI identity and access management challenge.
When Cyata asked a CISO, “How are you handling agentic identities?”, the silence on the call was telling. No defined policies, no clear accountability, no identity lifecycle management. It was a vast blind spot, glaringly evident and alarmingly vulnerable.
For organisations in both the UK and NZ, this raises board-level questions around:
- AI risk management strategy
- AI privileged access management
- AI compliance and audit controls
- Accountability under regulatory scrutiny
What CISOs Should Be Concerned About
If a new customer asks what to focus on in enterprise AI governance, the starting point should be simple:
- Do we know where AI agents exist in our environment?
- Who owns them?
- What privileges do they hold?
- Are they subject to just-in-time access controls?
- Can we audit their actions in real time?
This is where Check Point’s acquisition of Cyata is strategically significant. It signals a move toward an AI control plane security model, one built around visibility, oversight, and identity-first governance.
From ITogether’s perspective
In both the UK and New Zealand, we are advising clients that AI governance is not a model problem, it is an identity problem.
The organisations that get ahead are not those rushing to deploy AI fastest. They are those establishing:
- Clear AI governance best practices
- Defined ownership of agentic identities
- Proportionate oversight and audit
- Integration with existing identity and network controls
AI autonomy is already here. The question for CISOs is not whether to adopt it, but whether governance will keep pace.
If you can’t see your AI identities, you can’t govern them.
👉 To learn more about how ITogether can help strengthen your AI governance framework and manage agentic AI risk with confidence, get in touch with our team for a practical discussion.
🇬🇧 📞 +44 (0) 113 341 0123
🇳🇿 📞 +64 (0)9 802 2444
📧 hello@itogether.com
0 Comments