Raise your AI-governance maturity at the identity layer
As your organization stands up an AI-governance program, the identities your AI agents run as become a control surface auditors and regulators will ask about. Permafrost gives that surface an inventory, a risk score, and a remediation path — lowering the chance an over-permissioned agent becomes an incident, and producing the evidence your governance program needs. Below, the concrete capabilities mapped to the frameworks UK and EU buyers reference.
This page is about how Permafrost helps you govern your AI agents. For Permafrost’s own AI-management-system posture (ISO 42001) and its certification status, see certification status. We map only what the product genuinely supports; contributing to a framework’s control area is not the same as certifying against it.
Framework crosswalks
EU AI Act
The EU AI Act expects providers and deployers of higher-risk AI systems to maintain oversight, logging, and access control over the system and the identities that operate it.
- Human oversight & access control (Art. 14, Art. 26)Agent identity inventory gives you a named, owned register of every AI agent identity acting in your tenant — the prerequisite for oversight you can evidence.
- Risk management & technical robustness (Art. 9, Art. 15)Blueprint inheritable-permission risk flags where an agent blueprint would propagate excess privilege, so an over-scoped agent is caught before it ships.
- Record-keeping & traceability (Art. 12)Per-agent blast radius makes the reach of each agent identity explicit and reviewable, turning 'what could this agent touch' into a concrete, recorded answer.
NIST AI RMF
The NIST AI Risk Management Framework organizes AI risk work into Govern, Map, Measure, and Manage. The identity layer for AI agents maps cleanly onto each.
- Map — context & inventoryAgent identity inventory establishes the population of AI actors and their owners, the 'Map' baseline you measure and manage against.
- Measure — risk analysisLeast-privilege scoring for non-human identities quantifies how far each agent identity sits from least privilege, a measurable, trendable risk signal.
- Manage — risk treatmentDormant-agent reaping and guided remediation let you act on the highest-risk agent identities first and retire the ones no longer in use.
CSA AICM
The Cloud Security Alliance AI Controls Matrix extends cloud-control thinking to AI systems, with identity and access management among its control domains.
- Identity & access management for AIAgent identity inventory plus least-privilege scoring give you the IAM posture of your AI agents in one place, scored and rankable.
- Least privilege & entitlement hygieneBlueprint inheritable-permission risk and per-agent blast radius surface the entitlement excess and propagation paths the matrix expects you to control.
- Lifecycle managementDormant-agent reaping closes the lifecycle gap where unused agent identities accumulate standing access.
OWASP AI Exchange
The OWASP AI Exchange catalogs AI security threats and controls, including excessive agency and over-permissioned autonomous agents — the failure modes Permafrost is built to surface.
- Excessive agency / over-permissioned agentsPer-agent blast radius and blueprint inheritable-permission risk make excessive agency visible and measurable rather than latent.
- Least-privilege enforcementLeast-privilege scoring for non-human identities turns 'is this agent over-permissioned' into a ranked, remediable finding.
- Monitoring & decommissioningDormant-agent reaping detects agent identities that have gone quiet and walks you through retiring their access.
Outcome first: fewer over-permissioned agents, less standing access, and audit evidence you can hand to a reviewer.