The control-gap matrix
9 lifecycle stages × 3 populations. Each stage shows which use-case backbone owns it (UC-01–UC-04), or where it falls to future expansion.
| Lifecycle Stage | NHI Estate (Standard) | Privileged NHIs (T0/T1) | AI Agents |
|---|---|---|---|
| DiscoveryUC-02 | PartialLimited to AD / production directory; shadow OAuth apps under-discovered |
PartialPartial manual mapping; many service principals catalog gaps |
High gapUndiscovered usage in IDEs, business SaaS, browser agents |
| ClassificationUC-02 risk-tier | PartialInconsistent taxonomy across teams & environments |
PartialT0–T2 mapped for known assets; gaps at scale |
High gapUnclassified agent risk profiles, autonomy tiers undefined |
| OwnershipUC-03 | High gapMany orphaned accounts; weak human-owner attribution |
High gapMissing clear sponsors, succession plans incomplete |
High gapUnassigned autonomy; builder departures break governance |
| VaultingUC-03 | High gapHardcoded secrets prevalent across code repos and configs |
PartialPartial CyberArk coverage; vault sprawl across regions |
High gapLocal config secrets, LLM keys in .env files |
| RotationUC-03 | High gapStatic credentials, manual rotation |
PartialInfrequent rotation (> 90 days); dependency tracking weak |
High gapNon-rotating API keys to LLM/RAG providers |
| Access ReviewUC-03 | High gapNot consistently certified; campaigns inconsistent |
PartialManual SailPoint effort (improves with SailPoint Agentic Fabric, announced May 2026) |
High gapUnreviewed entitlements; agent scopes drift undetected |
| Monitoring / ITDRFuture | PartialBasic audit logs; behavioral baselines limited |
PartialPartial SIEM events; NHIDR coverage in progress |
High gapNo session traceability (improves with SailPoint Agentic Fabric / Entro Agentic AI Security) |
| DecommissionUC-03 | High gapManual / missed; residual access common |
High gapTicket-system delays; cascading deprovisioning weak |
High gapMemory stores & connectors persist after agent retired (improves with CyberArk Secure AI Agents lifecycle / decommission controls, GA Dec 2025) |
| Agent GovernanceFuture | N/ANot applicable to standard NHIs |
N/ANot applicable to non-agent NHIs |
High gapNo cross-vendor unified control model (per-vendor models shipped 2025-Q4 to 2026-Q2) |
Legend
MatureControls are in place, automated, and audited.
Partial / FragmentedSome controls exist but coverage is uneven or manual.
High gapControl missing or manual at a scale that creates real exposure.
N/AStage doesn’t apply to this population.
What the matrix is telling us
Three patterns repeat across enterprises in mid-2026 — they shape where investment should start.
The AI Agents column is red across the board
Every stage for AI agents is either high-gap or N/A — from discovery in shadow IDEs to memory-store retirement. This is the “boards now ask about by name” row.
Ownership and Decommission are red across all three populations
Discovery sells the pilot; lifecycle sells the program. Two rows where every population is red is the most reliable signal that the engagement should anchor on UC-03 governance, not just UC-02 inventory.
Vendor releases since late-2025 are shifting the red cells toward partial
CyberArk Secure AI Agents (Dec 2025), SailPoint Agentic Fabric (May 11, 2026), Oasis Agentic Access Management (Nov 2025), Saviynt ISPM for AI Agents (Oct 2025) each shift one or more agent-row cells from high-gap toward partial — if deployed. The matrix shows where capability exists in the market vs. where the customer has it installed.
The framing the executive remembers
“Most enterprises are red on AI-agent governance, red on ownership across the board, and amber-trending where vendors have shipped real product in the last 6 months.” That one sentence travels well into a board conversation.