Start by separating the identity types in policy, ownership, and review cadence, then define where controls can be shared and where they must remain distinct. Human users, service identities, and AI systems do not fail in the same way, so the governance model has to preserve that difference while still producing one audit trail.
Why This Matters for Security Teams
Governance fails when human IAM is treated as the default template for everything else. Humans, service identities, and AI agents have different trust models, lifecycles, and failure modes, so one policy set cannot safely govern them all without creating blind spots. NHI governance is already behind in many organisations: the 2024 Non-Human Identity Security Report found that 88.5% of organisations say their non-human IAM practices lag behind or only match human IAM. That gap matters more as agentic systems gain tool access and execution authority.
For practitioners, the key mistake is equating centralisation with control. A single audit trail is useful, but shared governance does not mean shared entitlements, shared review cadence, or shared credential style. Human access reviews can be periodic; service identities often need lifecycle-aware automation; AI agents need runtime checks tied to task intent. The right model is separated ownership with coordinated oversight, not a flattened access regime. Current guidance from NIST Cybersecurity Framework 2.0 supports this by pushing organisations to govern identity, access, and monitoring as connected functions rather than one-size-fits-all controls. In practice, many security teams discover the mismatch only after an orphaned token, overbroad role, or autonomous agent action has already expanded blast radius.
How It Works in Practice
Start by defining three identity classes in policy: human users, non-human workloads, and AI agents. Humans are usually governed through RBAC, JIT elevation, and approval workflows. Non-human identities should be governed as workload identities with short-lived secrets, strong provenance, and lifecycle automation. AI agents need a separate layer of intent-based authorisation because the question is not just who the agent is, but what the agent is trying to do right now.
For agents, static role mapping is fragile. A goal-driven system can chain tools, call APIs in new sequences, and change its path based on environment feedback. That is why current best practice is shifting toward runtime policy evaluation, ephemeral credentials, and task-scoped entitlements. The most defensible pattern is to bind workload identity to each agent execution, then issue JIT credentials only for the action window. That identity can be represented with cryptographic workload attestation, while policy engines decide whether the requested operation matches the declared intent.
This is consistent with the governance direction in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the control emphasis in Ultimate Guide to NHIs — Regulatory and Audit Perspectives. It also aligns with NIST’s identity and AI guidance, especially when paired with a zero trust model that verifies every request rather than trusting a session once it begins.
- Use one governance model for accountability, but separate policies for humans, workloads, and agents.
- Issue secrets and tokens with short TTLs and revoke them automatically at task completion.
- Require approval or policy checks for privileged agent actions, not just initial registration.
- Log entitlement changes, secret issuance, and agent tool calls into one audit trail.
These controls tend to break down in multi-cloud environments with legacy service accounts, shared credentials, and agent tooling that cannot cleanly express intent at request time.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, requiring organisations to balance speed against assurance. That tradeoff is real, especially where engineering teams rely on shared service principals or where agents must act across fragmented platforms. Best practice is evolving, and there is no universal standard yet for every agentic workflow, so policy design has to account for maturity gaps rather than assume a perfect control stack.
One common edge case is the blended workflow, where a human starts a process, a service account executes part of it, and an AI agent finishes it. In those cases, ownership should follow the initiating business process, but each identity hop still needs its own control boundary. Another edge case is emergency access. Humans may need break-glass privilege, but agents should rarely, if ever, receive the same exception model; if they do, it should be tightly bounded and heavily monitored.
Security teams should also watch for secret sprawl. The Top 10 NHI Issues research highlights the operational cost of poor non-human governance, and the JetBrains GitHub plugin token exposure shows how quickly developer tooling can become an identity risk. For AI-specific systems, the DeepSeek breach is a reminder that secrets and embedded credentials can surface in places governance teams do not inspect often enough. The practical rule is simple: shared reporting is fine, shared privilege is not.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic systems need runtime controls for unpredictable tool use and privilege escalation. |
| CSA MAESTRO | GOV-1 | MAESTRO addresses governance for autonomous AI systems with execution authority. |
| NIST AI RMF | GOVERN | AI RMF GOVERN maps directly to accountability for mixed human and AI identity estates. |
Assign accountable owners, document policy, and review agent behaviour as a governed risk.
