Rohit Dhawan, group executive director of Artificial Intelligence at Lloyds Banking Group in the UK, wrote: Agentic AI goes beyond GenAI, enabling autonomous action, workflow orchestration, and real‑time decision-making at scale.
He goes on to predict that 2026 marks a turning point as agentic AI moves from experimentation to enterprise-wide deployment across financial services.
In this context, CISOs and CIOs in Asia may want to consider prioritising AI-driven identity governance for autonomous environments, in the process treating agentic AI as first-class identities requiring least-privilege enforcement, continuous behavioural monitoring, lifecycle visibility, and human-in-the-loop controls.
Maturing understanding of regulationswill drive compliance efforts to mitigate shadow agents, rogue actions, excessive privileges, and accountability gaps in securing enterprise IT infrastructure.
In this PodChats for FutureCISO, Matthew Graham, Chief Security Officer for Asia Pacific at Okta, shares his thoughts on emphasising practical, regulation-grounded decision-making on agentic AI adoption.
1. How ca n we quickly evaluate if our current identity and access management systems are ready to handle agentic AI as independent actors?
2. What key principles from Singapore’s Model AI Governance Framework for Agentic AI should we adopt first to set safe boundaries for autonomous agents?
3. Drawing from our experience with the proliferation of Shadow GenAI, how do we prevent shadow or over-privileged AI agents from gaining too much access and causing unauthorised actions?
4. What basic steps ensure every agentic AI has its own clear, trackable identity with proper permissions and audit trails?
5. What practical approaches manage the full lifecycle of short-lived agent identities—from creation and delegation to safe removal?
6. There is a possibility that many organisations don’t have the experience or capability to follow through your recommendations. How do CISOs and CIOs have appropriate governance for their business and workflow?
7. How can we add simple behavioural monitoring and emergency stop controls to catch rogue or unexpected agent actions without slowing operations?
8. Looking forward, how might new standards and Asia’s push for sovereign AI influence our long-term plans to balance safe innovation with compliance?
9. Agentic AI is predicted to be the IT project of 2026. For organisations that have decided to deploy agentic AI, any security recommendations to ensure resilience?
