--- title: Advanced Identity Cloud Agent Governance description: Discover, onboard, and govern AI agents with PingOne Advanced Identity Cloud Agent Governance. Apply governance controls to AI agents the same way you manage human identities. component: pingoneaic page_id: pingoneaic:release-notes:rapid-channel/IGA-4223/iga-agent-governance canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/rapid-channel/IGA-4223/iga-agent-governance.html section_ids: discovery_and_governance_workflow: Discovery and governance workflow what_is_an_ai_agent: What is an AI agent? challenges_this_solves: Challenges this solves what_you_can_do_with_agent_governance: What you can do with Agent Governance understanding_connected_and_disconnected_modes: Understanding connected and disconnected modes identity_governance_administrators_experience: Identity Governance administrators experience summary-of-agent-governance-workflow: Summary of Agent Governance workflow before_you_start: Before you start create_the_identity_type: Create the identity type onboard_ai_agents: Onboard AI agents connect_your_ai_agent_platform: Connect your AI agent platform configure_synchronization_mappings: Configure synchronization mappings define_correlation_rules: Define correlation rules configure_situation_rules: Configure situation rules run_reconciliation: Run reconciliation deploy_the_platform_specific_collector: Deploy the platform-specific collector configure_governance: Configure governance create_a_certification_template: Create a certification template create_an_agent_policy: Create an agent policy create_scopes: Create scopes workflows: Workflows monitor_agent_activity: Monitor agent activity finalize_agent_governance_setup: Finalize agent governance setup assign_custodians: Assign custodians enrich_the_entitlement_glossary: Enrich the entitlement glossary test_the_setup: Test the setup next_steps: Next steps --- # Advanced Identity Cloud Agent Governance Organizations are increasingly deploying artificial intelligence (AI) agents to automate business processes and decision making. These agents require access to sensitive systems, credentials, and data to perform their functions. Without proper governance, AI agents become a security and compliance blind spot. They operate with untracked permissions and unclear accountability. PingOne Advanced Identity Cloud Agent Governance lets you detect, onboard, and govern AI agents the same way you govern human identities, accounts, and roles. This brings them under the governance umbrella alongside human identities. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne Identity Governance add-on capabilityAgent Governance is an additional add-on capability for PingOne Identity Governance. Contact your Ping Identity representative if you want to add the Agent Governance add-on SKU to your PingOne Advanced Identity Cloud Identity Governance subscription. Learn more in [Add-on capabilities](../../../product-information/add-on-capabilities.html). | ## Discovery and governance workflow Identity Governance fulfills four responsibilities to govern and provide visibility into agent activity: * **Discovery and visibility**: The platform discovers agents, catalogs their capabilities, tracks their permissions, and monitors their activity after the fact. * **Governance and remediation**: You can certify agent access, revoke permissions, assign custodians, and apply approval workflows—the same way you would for human identities. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Runtime enforcement for agent actions happens through Agent IAM Core and Agent Gateway during the execution-time control flow for live agent requests and is outside the scope of Agent Governance. | ## What is an AI agent? An AI agent is a type of identity, like a user or service account, that performs actions autonomously or on behalf of others. For example, querying a database, calling tools, or triggering workflows without human intervention. Agents typically use AI models, such as large language models (LLMs), and require: * Assigned permissions to access systems * Tools to execute tasks * Credentials to authenticate * Context to make decisions Like human users, agents need governance to ensure they operate securely and within defined boundaries. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Agent Governance currently focuses on *centralized agentic platforms* where agents are deployed and managed by your CIO team, CTO team, or development team. This includes commercial agent platforms and agents running on infrastructure you control. Support for personal desktop agents and shadow AI agents is planned for future releases. | ## Challenges this solves Organizations face several critical challenges with AI agents: * **Lack of visibility**: Security and identity and access management (IAM) teams don't know where agents are deployed, what they're actually doing across the infrastructure. * **Multi-platform complexity**: Organizations rarely standardize on a single agent platform. They might use AWS Bedrock alongside Salesforce CRM agents and custom in-house agents, requiring a universal governance solution that works across all platforms. * **Overprivileged agents**: Many agents are deployed with excessive permissions, creating security posture gaps that put sensitive systems and data at risk. * **No accountability or compliance visibility**: Without designated custodians, there's no clear ownership or oversight. Agents access sensitive systems without the same governance rigor applied to human identities, creating audit and compliance risks. ## What you can do with Agent Governance With Agent Governance enabled, you gain the following capabilities: * **Discover AI agents across all platforms and onboard them as first-class identities.**: Agent Governance includes out-of-the-box connectors for major agent platforms such as Microsoft Copilot, Azure AI Foundry, AWS Bedrock, and Google Vertex AI. It automatically discovers and onboards AI agents into your Identity Governance framework with minimal setup. Once onboarded, agents receive the same identity attributes, lifecycle management, and governance controls as human users and accounts. * **Discover the full anatomy of each agent using deep discovery.**: Beyond the agent identity itself, Agent Governance discovers and catalogs the resources each agent uses to perform its work, including: * **Tools**: APIs and services the agent can invoke. * **Knowledge bases**: Data sources the agent queries. * **Guardrails**: Policies that limit agent behavior. * **Credentials**: API keys and access tokens the agent uses to authenticate. This is a key risk surface to monitor. * **Bindings**: Which users or systems can invoke this agent. * **Sub-agents**: Other agents this agent can delegate work to. This **deep discovery** approach goes beyond basic profile metadata (name, version, platform, owner) that other vendors provide, giving you full visibility into what each agent can do. It also scans your infrastructure to identify disconnected apps running outside your governance framework and detect "shadow agents" operating without proper oversight. * **Assign one or more human custodians to each agent to provide oversight.**: Every agent needs accountability. You can designate one or more human custodians responsible for overseeing the agent's behavior, approving access requests, and ensuring the agent operates within your organization's policies. Custodians can review agent activity, modify permissions, and act as the point of contact for governance decisions related to that agent. * **Monitor agent activity with normalized logs from multiple sources.**: Agent Governance ingests and normalizes activity logs from multiple sources, giving you visibility into what your agents are doing. The normalized activity schema classifies logs by actor type, so you can monitor agent behavior, detect unmanaged agents operating without oversight, and identify anomalies. The Activity page shows you when agents execute actions, what resources they access, and whether those actions were approved or autonomous. You can investigate suspicious behavior and maintain a complete audit trail of agent operations. * **Apply comprehensive governance including access requests and workflows, access certifications, and role-based access control.**: Agents inherit all the governance capabilities you already use for human identities. You can require approval workflows before agents receive access to sensitive resources, run periodic access certifications to review and validate agent permissions, and assign role-based access control to enforce least-privilege principles, ensuring agents operate under the same security and compliance standards as your workforce. ### Understanding connected and disconnected modes Agent Governance supports two modes for discovering agents: * **Connected mode**: Identity Governance uses out-of-the-box connectors to directly connect to your agent platforms (AWS Bedrock, Azure AI Foundry, Google Vertex AI, and others) and automatically pull agent data on a regular schedule. * **Disconnected mode**: For custom agents or platforms without pre-built connectors, you can ingest agent data through flat files. Because most organizations deploy agents across multiple platforms, a hybrid approach is common: connected mode for platforms with pre-built connectors, and disconnected mode for custom or proprietary platforms. ## Identity Governance administrators experience Follow this workflow to establish agent governance in your organization. By the end, your agents will be discovered, onboarded, and operating under the same compliance controls as human identities. ## Summary of Agent Governance workflow The following steps outline the core workflow for setting up agent governance in your Identity Governance tenant. After completing these steps, your agents will be discovered, onboarded, and ready for governance controls. 1. **Create a custom property to mark agents**: Add a custom property (`custom_iga_identity_type`) to the user object schema (the blueprint for all identities in Advanced Identity Cloud) with two allowed values: "Agent" and "Human". 2. **Onboard your AI agent platform**: Select a supported platform and configure provisioning, property mappings, correlation rules, and reconciliation to import agent identities and their tools or entitlements into Advanced Identity Cloud. 3. **Apply governance controls after onboarding**: Once the agents are synchronized, you can assign custodians, review entitlements, create certification templates, define agent policies, create scopes, configure workflows, and monitor agent activity so agents can be governed with the same oversight, review, and auditability as other identities. ### Before you start To begin onboarding AI agents, ensure your organization meets these prerequisites: * Your organization has purchased and enabled the Agent Governance SKU in your Identity Governance tenant. * Your organization is using at least one of the following AI agent platforms. If you use multiple platforms from the same vendor, such as both AWS Bedrock and AWS Bedrock AgentCore, you can onboard agents from each separately: * **AWS Bedrock**: Amazon's service for generative AI applications using foundation models. * **AWS Bedrock AgentCore**: Amazon's framework for autonomous agents that execute multi-step tasks. * **Azure AI Foundry**: Microsoft's platform for AI models and agents with built-in governance. * **Microsoft Copilot**: Microsoft's AI assistant for Microsoft 365 applications. * **Google Vertex AI**: Google Cloud's platform for machine learning models and AI agents. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you need Identity Governance to support additional agent platforms, contact your Ping Identity representative to express your interest and help us prioritize. | ### Create the identity type Agent identities use the same object structure as human users but are distinguished by a custom property that flags them as agents. This property is required before onboarding so Identity Governance can distinguish agents from human identities during reconciliation. 1. Sign on to the Advanced Identity Cloud admin console. 2. Go to Identities > Configure. 3. Select Alpha realm - User from the list of object types. This is the default user object type in Advanced Identity Cloud. Agent identities use the same object structure as human users but are distinguished by the identity type property you'll create in the following steps: 1. Click Properties, and then click [icon: add, set=material, size=inline] Add a Property. 2. On the New Alpha realm - user Property modal, select String as the property type, and then click Next. 3. On the New String Property modal, enter the following properties, and then click Save: * Property Key: Enter `custom_iga_identity_type`. The `custom_` prefix is required for all custom properties you create. This property must be unique across all identity types. * Display Label (optional): Enter `Identity Type`. This is the human-friendly name that appears in the UI. ![Identity type configuration page showing the custom\_iga\_identity\_type property with two enumerated values: Agent and Human](../../_images/IGA-4223/agent-governance-identity-type.png) 4. On the Identity Type (String) (`custom_iga_identity_type`) page, set the following properties, and then click Save: 1. Click Property Value, and then click Enumerate allowable values for this property. Enumerating values restricts this property to "Agent" or "Human," preventing inconsistent values. 2. In the Label field, enter `Agent`, and in the Value field, enter `Agent`. Click [icon: add, set=material, size=inline] to add this value to the list of allowed values. 3. In the Label field, enter `Human`, and in the Value field, enter `Human`. Click [icon: add, set=material, size=inline] to add this value to the list of allowed values. ![Screenshot showing enumerated values for custom\_iga\_identity\_type: Agent and Human.](../../_images/IGA-4223/agent-governance-identity-type-property-value.png) 5. Click Display, check that the following properties are set, and update them if necessary: * Show in Admin List View: Select this checkbox to include this property as a column in internal admin lists and tables. * Show in Admin Form: Select this checkbox to display this property in forms used by admins to view or update records. * Show in User-facing Form: Select this checkbox to allow end users to see and edit this property in the self-service UI. 6. Click Save. ### Onboard AI agents To onboard AI agents, configure your agent platform as an application in Identity Governance, then map agent properties to identity fields. #### Connect your AI agent platform 1. Use the Advanced Identity Cloud's Applications page to onboard your AI Agent platform: 1. In the Advanced Identity Cloud admin console, go to Applications > Browse App Catalog. 2. In the catalog, select your AI agent platform. For example, select AWS Bedrock, and enter a name, description, and owners for the application. 3. Click Create Application. 2. Open your newly created application from the list of applications. 3. Click the Provisioning tab, and then click Set up Provisioning. 4. In the agent modal, enter the following information: * Region: Enter your AWS region. For example, enter `us-east-1`. * Account ID: Enter your AWS account ID from the AWS Management Console. * Inventory Bucket: Enter the S3 bucket name for agent inventory. You must create this bucket in AWS first. Learn more in [AWS Bedrock documentation](https://docs.aws.amazon.com/bedrock/). * Use Default Credentials Provider: Enable to use the default AWS credentials chain, or disable to enter an access key ID and secret access key. * Access Key ID (optional): If you disabled the default credentials provider, enter your AWS access key ID. * Secret Access Key (optional): If you disabled the default credentials provider, enter your AWS secret access key. 5. Click Connect. Verify that the status shows Connected. 6. On the AI application page, select Account to map agent properties to identity fields in Advanced Identity Cloud. 7. Click the Properties tab, and review the agent's properties. 1. Search for the Connected Tools property. Click the ellipsis icon ([icon: more_horiz, set=material, size=inline]) for this property, and then click Edit. 2. In the Edit Property modal, click Entitlement to specify that this property contains entitlements. ![Edit property modal with the entitlement option highlighted.](../../_images/IGA-4223/agent-governance-edit-property.png) 3. Click Save. #### Configure synchronization mappings Synchronization mappings tell Identity Governance which agent properties from your source platform (such as agent name or ID) should be stored in which user fields in Advanced Identity Cloud. 1. In the Advanced Identity Cloud admin console, go to Applications, browse the app catalog, and select your AI Agent. 2. Click the Provisioning tab. 3. Make sure you are viewing the Account object type. 4. Click Advanced Sync, and then click [icon: add, set=material, size=inline] Sync Data. 5. In the Sync account object type modal, select Object Type in the Sync To section. 6. Select `alpha_user`, and click Save. ![Sync mappings page showing the source properties on the left and target properties on the right, with a button to add new property mappings](../../_images/IGA-4223/agent-governance-configure-sync-mappings.png) 7. Set up the mappings between your agent platform properties and Ping Identity identity properties. 1. On the AI agent to Mapping page, click [icon: add, set=material, size=inline] Add a property. ![Sync mapping chart showing Ping Identity properties mapped to AWS Bedrock agent source properties.](../../_images/IGA-4223/agent-governance-sync-mapping-chart.png) 2. In the Add a property modal, select a Ping Identity property. For example, select userName, and then click Next. 3. In the userName (string) property modal, select the agent's property. For example, select source.*NAME*, and then click Save. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Some properties require hardcoded values (static text that applies to all synced agents). For example, `custom_iga_identity_type` should always be `"Agent"`. For these, click Apply transformation script, enter the value, and then click Save. | 4. Repeat the previous steps to add more property mappings. | Ping Identity property | Agent property | Notes | | --------------------------- | ---------------------------------- | ------------------------------------------------- | | userName | source.*NAME* | Unique identifier for the agent | | custom\_iga\_identity\_type | `"Agent"` | Hardcoded value to flag this as an agent identity | | givenName | source.agentName | Agent's display name | | sn | `"Bedrock"` | Last name—customize to your platform name | | mail | source.agentId+"@pingidentity.com" | Synthetic email—adjust domain as needed | #### Define correlation rules Correlation rules tell Identity Governance how to match agent accounts from your source platform (like AWS Bedrock) to identities that may already exist in Advanced Identity Cloud. Without these rules, the system might create duplicate identities when you import agents, resulting in confusion and governance gaps. 1. In the Advanced Identity Cloud admin console, go to Applications, select your AI Agent application, and click the Provisioning tab. 2. Go to Reconciliation > Settings. 3. Next to Custom, click the ellipsis icon ([icon: more_horiz, set=material, size=inline]), and select Edit. This opens the correlation query editor. 4. Enter the correlation query that Identity Governance uses to match agent accounts to existing identities and prevent duplicates. For example: ```javascript var qry = {'_queryFilter': 'userName eq "' + source.__NAME__ + '"'}; qry ``` 5. Click Save. #### Configure situation rules Situation rules define what action Identity Governance takes during synchronization scenarios, for example, creating a new identity when an agent account exists in AWS Bedrock but not in Advanced Identity Cloud (a "Missing" situation). This ensures consistent handling across all scenarios without manual intervention. 1. On the same Reconciliation Settings page, go to the Situation Rules section. 2. Under Actions, click the ellipsis icon ([icon: more_horiz, set=material, size=inline]) for each of the following situations, and select the appropriate action: | Situation | Recommended action | | --------- | ------------------------------------------------------------------------------------------------ | | Missing | Select Create. This occurs when the account exists in the source but not in the target. | | Confirmed | Select Update. This occurs when the account exists in both the source and target and are linked. | | Found | Select Update. This occurs when the account exists in both but aren't linked yet. | | Absent | Select Create. This occurs when the account doesn't exist in the source. | 3. Click Save. #### Run reconciliation Reconciliation is the process that syncs agent data from your source platform into Identity Governance. Run reconciliation twice: first for agent identities, then for their tools and entitlements. Identity Governance reconciles each object type separately, so both runs are required to import the complete agent profile. 1. On your application page, make sure you're viewing the Account object type. 2. Click Reconciliation, and then click Reconcile Now to onboard the agent identities. ![Reconciliation page showing the Account object type with a Reconcile Now button](../../_images/IGA-4223/agent-governance-reconciliation-agent-account.png) 3. On the application page, select the Agent Tool object type. 4. Click Reconciliation, and then click Reconcile Now to onboard the agent tools and entitlements. ![Reconciliation page showing the Agent Tool object type with a Reconcile Now button](../../_images/IGA-4223/agent-governance-reconciliation-agent-tool.png) #### Deploy the platform-specific collector After agents are onboarded, deploy the platform-specific collector to enable deep discovery of agent tools and capabilities: * AWS Bedrock users: Learn more in [AWS Bedrock Core Tools Inventory Deployment Runbook](../../../identity-governance/_attachments/bedrock-inventory-deployment-runbook-ping.html). * Google Vertex users: Learn more in [Google Vertex Inventory Deployment Runbook](../../../identity-governance/_attachments/vertex-inventory-deployment-runbook-ping.html). * Foundry agent users: Learn more in [Foundry Tools Inventory Deployment Runbook](../../../identity-governance/_attachments/foundry-inventory-deployment-runbook-ping.html). * Microsoft Copilot users: Learn more in [Copilot Studio Inventory Deployment Runbook](../../../identity-governance/_attachments/copilot-studio-inventory-runbook-ping.html). * AWS Bedrock AgentCore users: Learn more in [Get started with Amazon Bedrock AgentCore](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-get-started-cli.html). ### Configure governance To configure governance, start by creating a certification template to define which agents and entitlements are reviewed. #### Create a certification template For AI agents, create a template that specifies which agents to include, what entitlements to review, who performs the review, and the review schedule. To create a certification template for AI agents: 1. In the Advanced Identity Cloud admin console, go to Governance > Certification. 2. Click the Templates tab, and then click [icon: add, set=material, size=inline] New Template. 3. In the New Certification Campaign Template modal, select Identity Certification, and then click Next. 4. On the New Identity Certification Template page, enter the following information, and then click Next: * Name: Enter a name for the template. For example, enter `AI Agent Certification Template`. * Description: Enter a description for the template. For example, enter `Certification template for reviewing AI agent access and permissions`. * Campaign Owner: Select the owner of this certification campaign. For example, enter `AGT001 CrewAI (AGT001)`. * Enable Campaign Staging: Skip this option. Staging is used for testing campaigns before they go live, but you can leave it disabled for your first campaign. 5. On the What to Certify page, select the following options, and then click Next: * Certify User Entitlements: Select this option to include agent entitlements in the certification campaign. * Organizations: Select All Organizations to include agents from all organizational units in this campaign. * Users: Select Users matching a filter. * Any: Select this option to include all of the rules specified. * Identity Type:Select `Equals`, then enter `Agent` to include only agent identities in this campaign. * Applications: Select Specific Applications, and then select Bedrock. This limits the campaign to AWS Bedrock agents. * Entitlements: Select All entitlements to include all entitlements for the selected agents. * Exclude access granted only from a role: Excludes entitlements agents hold only through roles, focusing the review on direct entitlements (increased risk). ![Screen capture showing certification options: certify user entitlements, select organizations, filter by identity type, select specific applications, choose entitlements.](../../_images/IGA-4223/agent-governance-what-to-certify.png) 6. On the When to Certify page, select the default options (for example, 14 days), and then click Next. 7. On the Who will Certify page, select the following options, and then click Next: * Certifier Type: Select User. * Select user: Select the user who'll act as the certifier for this campaign. 8. On the Notifications page, select any options, and then click Next. 9. On the Additional Options page, select the following options, and then click Next: * Enable line-item reassignment and delegation: Select this option to allow certifiers to reassign specific access items to other reviewers or delegate the entire certification to someone else. * Forward: Select this option to allow certifiers to forward specific access items to other reviewers for input without reassigning them. * Reassign: Select this option to allow certifiers to reassign specific access items to other reviewers for approval. * Add comment: Select this option to require certifiers to provide a comment when they reassign an access item. * Make decision: Select this option to require certifiers to make an approval decision when they reassign an access item. * Reassign/Forward: Select this option to allow certifiers to either forward or reassign access items. * Sign off: Select this option to allow certifiers to sign off on specific access items without reviewing the entire certification. * Require justification on revoke: Select this option to require certifiers to provide a justification when they revoke access from an agent. * Require justification on exception: Select this option to require certifiers to provide a justification when they mark an access item as an exception. * Allow exceptions: Select this option to allow certifiers to mark access items as exceptions, which means they acknowledge the risk but choose to accept it for a specified period. * Campaign expiration: Select Do Nothing to allow certifiers to continue reviewing access items even after the campaign end date. This is useful for your first campaign while you're getting familiar with the process, but for future campaigns, you might want to select Expire Access to automatically revoke any access that wasn't certified by the end date. ![Additional options page showing various checkboxes for line-item reassignment, justification requirements, exception handling, and campaign expiration](../../_images/IGA-4223/agent-governance-additional-options.png) 10. On the Customization page, select the default column configuration of the table for access reviewers, and then click Next: 11. On the Summary page, review the campaign settings, and then click Save. The new certification template appears in the list of templates. You can use this template to create certification campaigns that include your AI agents and their entitlements. 12. On the Certification page, select the ellipsis icon ([icon: more_horiz, set=material, size=inline]) for your new template, and then click Run Now. Monitor the campaign progress on the Campaigns tab. After the campaign completes, review which agents were certified, which were revoked, and which items require attention. ![Campaigns page showing a list of certification campaigns with their name, template, type, status, start date, end date, and actions columns](../../_images/IGA-4223/agent-governance-campaigns.png) #### Create an agent policy Agent policies detect conflicting or inappropriate entitlements and help you define prohibited combinations before they pose a security risk. For example, an agent with both `Asset Lookup Tool` and `Benefits Search Tool` entitlements could expose sensitive data if compromised; a policy rule prohibiting this combination lets you detect and remediate it proactively. To create a policy rule for your agents: 1. In the Advanced Identity Cloud admin console, go to Governance > Compliance. 2. On the Compliance page, click the Policy Rules tab to add a policy rule. 1. Click [icon: add, set=material, size=inline] New Rule. 2. On the New Policy Rule page, enter the following, and then click Next: * Name: Enter a name for the policy rule. For example, enter `Restrict HR access`. * Description: Enter a description for the policy rule. For example, enter `Policy rule to restrict access to HR resources for AI agents`. * Owner: Select a user for this policy rule. For example, select `Danielle Johnson`. * Risk Score: Enter a risk score for this policy rule. For example, enter `0`. * Mitigating Control: (Optional) Skip this option. * Control URL: (Optional) Skip this option. * Correction Advice: (Optional) Skip this option. 3. Click Violation Condition, enter the following, and then click Save: * Any of the following conditions are met: Select this option to specify that a violation occurs if any of the conditions you define are met. * Display Name: Select this option, select `is`, and then enter the name of the entitlement you want to restrict. For example, enter `Access Lookup Tool`. Click [icon: add, set=material, size=inline]. * Under Conflicts with, enter the following rule: * Display Name: Select this option, select `is`, and then enter the name of an entitlement that conflicts with the restricted entitlement. For example, enter `Benefits Search Tool`. ![Policy rule configuration page showing the details, violation condition, applies to, and settings sections with various options for each](../../_images/IGA-4223/agent-governance-policy-rule.png) 4. Click Applies To, select User matching a filter, enter the following, and then click Save: * Any of the following conditions are met: Select this option to specify that this policy rule applies if any of the conditions you define are met. * Identity Type: Select this option, select `is`, and then enter `Agent` as the value. This policy rule only applies to identities flagged as agents. ![Policy rule applies to configuration showing a filter for user identities with the identity type equal to Agent](../../_images/IGA-4223/agent-governance-policy-rule-applies-to.png) 5. Click Settings, select the following options, and then click Save: * Violation Owner: Select the user responsible for managing violations of this policy rule. For example, select `Frank York`. * Enable Allow: Select this decision option to allow users to retain their violating access permanently. * Enable Exception: Select this decision option to allow users to be granted a temporary exception to retain access. * Require a justification when allowing exceptions: Select this option to require a justification when granting an exception. * Preventative: Select this scan type to enforce rules during access requests and provisioning. * Detective: Select this scan type to enforce rules during compliance scans. * Launch Violation Workflow: Select this violation lifecycle option to automatically launch a workflow when a violation of this policy rule is detected. For example, select `Basic Violation Process`. * Never: Select this Violation Expires option to specify that violations of this policy rule never expire. * Close violation: Select this "When violation expires" option to specify that violations of this policy rule are closed when they expire. To create a policy that applies to agents: 1. In the New Policy modal, enter the following, and then click Next: * Name: Enter a name for the policy. For example, enter `CrewAI Compliance Policy`. * Description: Enter a description for the policy. For example, enter `Policy to enforce compliance for CrewAI agents`. * Policy Owner: Select a user for this policy. For example, select `Danielle Johnson`. 2. Click the Rules tab, click [icon: add, set=material, size=inline] Add Rules. 1. In the Add Rules modal, select the policy rule you just created (for example, `Restrict HR access`), and then click Save. 3. On the policy page, click the Scans tab, and then click Simulate Scan to test this policy against your agents and identify any violations. ![Policy rule scans page showing a list of violations with columns for identity, violation, status, and actions](../../_images/IGA-4223/agent-governance-policy-rule-scans.png) #### Create scopes Use scopes to restrict which identities can see or request specific resources in Identity Governance. For example, create a scope limiting "End User Access Request" to human identities to prevent agents from autonomously requesting access without human approval. Learn more in [Scopes](../../../identity-governance/administration/scopes.html). To create a scope: 1. In the Advanced Identity Cloud admin console, go to Governance > Scopes. 2. Click [icon: add, set=material, size=inline] New Scopes. 3. On the New Scope page, enter the following information on the Details page, and then click Next: * Name: Enter a name for the scope. For example, enter `End User Access Request`. * Description: Enter a description for the scope. For example, enter `Scope to restrict access requests to human users only`. 4. On the Applies to page, enter or select the following information, and then click Next: * custom\_iga\_identity\_type: Select agent identity type, select `is`, and then enter `Human`. This scope only applies to identities flagged as human users. ![Scope applies to configuration showing a filter for identities with the custom\_iga\_identity\_type property equal to Human](../../_images/IGA-4223/agent-governance-scope-applies-to.png) 5. On the Access page, select access to the following resources, and then click Save: * Applications: Select All Applications and View Applications. * Entitlements: Select All Entitlements and View Entitlements. * Roles: Select All Roles and View Roles. Now only human users can request access to applications through the self-service UI. Agents cannot submit access requests autonomously—any access changes for agents must be initiated by their assigned custodians or through automated provisioning rules you define. #### Workflows Configure workflows to require human approvals and ensure oversight of agent activity. For example, you could create an access request workflow that requires custodian approval for any access requests submitted on behalf of an agent. Or, you could create a violation remediation workflow that automatically revokes access from any agent that violates a compliance policy. Learn more about workflows at [Workflow configuration](../../../identity-governance/administration/workflow-configure.html). ### Monitor agent activity To monitor agent activity: 1. In the Advanced Identity Cloud admin console, go to Governance > Agents. 2. Select an agent from the list, and click the Activity tab. 3. Filter the activity logs by date and time range, and time zone offset, or search for a specific activity. ![Screen capture of activity logs showing timestamp, actor, action, resource, result columns and date range and time zone filters.](../../_images/IGA-4223/agent-governance-activity.png) | Field | Description | | -------------- | ------------------------------------------------------------------------------- | | Actor Details |   | | Actor ID | The unique identifier of the agent performing the action. | | Username | The display name of the agent. | | Email | This field is empty for agents. | | Global ID | The global identifier for the agent in Advanced Identity Cloud. | | Environment |   | | Location | The geographic location where the action was performed, if available. | | User Agent | The user agent string associated with the action, if available. | | Device | The device used to perform the action, if available. | | Cloud Region | The cloud region where the action was performed, if available. | | Result |   | | Response Code | The response code returned by the action, if applicable. | | Risk Score | The risk score associated with the action, if available. | | Bytes in/Out | The amount of data transferred during the action, if applicable. | | Raw Event JSON | The full raw event data in JSON format, which might include additional details. | ### Finalize agent governance setup After configuring governance controls, complete your setup by assigning custodians to provide human oversight and enriching the entitlement glossary to help reviewers understand what each permission allows. #### Assign custodians 1. In the Advanced Identity Cloud admin console, go to Governance > Agents. You see all agents from your connected platform listed here. ![Dashboard with metric cards (Recently Discovered, Review Pending, Action Required, Provisioned), platform filters sidebar, and agent table with application and description columns.](../../_images/IGA-4223/agent-governance-ui.png) 2. Assign custodians to each agent. You can: * Assign custodians manually by selecting an agent and adding owners. * Configure automated custodian assignment rules based on agent properties. 3. Go to Governance > Entitlements to review the agent tools and permissions discovered during reconciliation. #### Enrich the entitlement glossary 1. Enrich the entitlement glossary by adding business-friendly descriptions to each tool or permission. To edit glossary entries: 1. Select an entitlement from the list. 2. Click Edit. 3. In the Description field, enter a clear explanation of what this entitlement allows. 4. Click Save. #### Test the setup 1. Sign on to the hosted console as a test user who has been assigned as a custodian. 2. Go to My Access > My Agents. You should see a list of agents you're assigned as a custodian for. If the list is empty, reconciliation might not have completed or mappings might not be correct. 3. Select an agent to review: * Agent profile information * Assigned custodians * Connected tools and entitlements If you don't see the expected agents or their access details, return to the reconciliation step and check the mapping and correlation configurations. ## Next steps After you've successfully onboarded your AI agent and configured governance controls, consider these recommended actions: **Expand governance coverage:** * **Onboard agents from additional platforms**: If your organization uses multiple agent platforms, repeat the onboarding process for each one. Agent Governance supports agents from AWS Bedrock, Azure AI Foundry, Microsoft Copilot, Google Vertex AI, and custom platforms. Manage all agents in a centralized location. * **Establish agent lifecycle processes**: Define how new agents are requested, approved, provisioned, and decommissioned in your organization. Consider creating templates for common agent types to streamline onboarding while maintaining security standards. **Maintain continuous oversight:** * **Schedule regular certification campaigns**: Use the certification template you created to run periodic access reviews. Configure campaigns to run quarterly or whenever your compliance policies require. Regular certification ensures agent permissions remain appropriate as your organization evolves. * **Configure activity monitoring and alerts**: Set up notifications to alert custodians when agents exhibit unusual behavior or access patterns. Review logs regularly to identify risks, policy violations, or operational issues early. * **Train custodians on their responsibilities**: Ensure the human custodians you assigned understand their role in overseeing agent access and behavior. Provide guidance on approval decisions, certification review, and investigation of suspicious activity. * **Document Agent Governance policies**: Create organizational policies that define acceptable use for AI agents, required approval workflows, and escalation procedures for violations. Document which types of agents require custodian oversight and which access combinations are prohibited. **Integrate with runtime security:** * **Integrate with runtime enforcement**: For real-time control of agent behavior during execution, combine Agent Governance with Ping Gateway and Ping Privilege. This provides both administrative governance (what agents can access) and runtime authorization (what agents should do right now). Learn more about the complete Identity for AI solution in Ping Identity documentation.