Subscribe to the Non-Human & AI Identity Journal

Why do multi agent systems create more identity risk than single AI assistants?

Multi agent systems create more identity risk because they combine delegation, shared context, and external communication across multiple execution steps. A compromise or injection in one step can propagate through downstream agents that treat prior outputs as trusted input. That turns identity trust into a chain problem rather than a single access decision.

Why This Matters for Security Teams

Multi agent systems are riskier than single assistants because each agent adds another identity boundary, another set of credentials, and another opportunity for prompt injection, tool abuse, or delegation drift. Static RBAC works poorly when an agent’s actions are goal-driven and context-sensitive, because access needs can change mid-task. That is why current guidance increasingly points toward runtime authorisation, short-lived secrets, and workload identity rather than standing permissions, as reflected in the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework. The chain effect is what makes the problem operationally different: one weak step can poison downstream reasoning, tool calls, or delegated actions.

NHI exposure amplifies the risk. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which means agent swarms often start from an already over-permissive baseline in the Ultimate Guide to NHIs. In practice, many security teams encounter identity failure only after an agent has already reused trusted context to reach a system no one intended to expose.

How It Works in Practice

In a single assistant design, the main identity question is usually, “What can this one workload do?” In a multi agent system, the better question is, “What can each agent do, what can it delegate, and what does every downstream component trust?” That difference is why identity risk grows non-linearly. One planner agent may call a retrieval agent, which then hands output to a code executor, which then uses a secrets manager, which then opens a third-party API. Each hop is a trust decision.

A safer pattern is to treat the agent as a workload identity first, then layer in JIT credentials and policy-as-code at each action point. That means:

  • Issuing short-lived credentials per task rather than long-lived secrets.
  • Binding tool access to the specific intent or workflow step being executed.
  • Verifying the agent’s workload identity before granting any token or API call.
  • Revoking credentials automatically when the task completes or changes scope.

This model aligns with the direction in CSA MAESTRO agentic AI threat modeling framework and the OWASP NHI Top 10, both of which reinforce that agentic systems need runtime controls, not just perimeter rules. It also fits NHI Mgmt Group findings that secrets are often mishandled at rest and in code, with 96% of organisations storing secrets outside secrets managers in vulnerable locations, according to the Ultimate Guide to NHIs. Where this guidance breaks down is in long-running autonomous workflows that must span multiple tools and approvals, because token lifetimes, audit correlation, and re-authentication points become hard to coordinate.

Common Variations and Edge Cases

Tighter JIT controls often increase operational overhead, so organisations have to balance containment against orchestration friction. That tradeoff is real in multi agent environments, especially when agents are meant to run continuously or hand off work across teams and vendors. Best practice is evolving, but there is no universal standard yet for how much delegated trust a downstream agent should inherit from an upstream one.

One common edge case is shared memory or shared context stores. If multiple agents can read the same state, then a single poisoned instruction can become a privileged assumption everywhere else. Another is human-in-the-loop escalation: if operators approve actions based on summaries rather than raw tool intent, the approval process can accidentally legitimise a compromised chain. A third is vendor integration, where external tools may accept bearer tokens without understanding whether the caller is an autonomous agent or a normal service account. This is where the guidance in 52 NHI Breaches Analysis and MITRE ATLAS adversarial AI threat matrix becomes especially relevant. The practical answer is to segment agents by task, constrain tool chains, and require runtime policy evaluation for every hop, as recommended by OWASP Top 10 for Agentic Applications 2026 and NIST AI Risk Management Framework. Multi agent systems become hardest to secure when they can self-route, self-delegate, and self-call external tools without a fresh authorisation decision at each boundary.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A01 Covers prompt injection and unsafe tool chaining across agent workflows.
CSA MAESTRO MAESTRO addresses threat modeling for autonomous agent architectures and delegated actions.
NIST AI RMF AI RMF applies governance and accountability to autonomous, goal-driven AI behaviour.

Review each agent hop for injection resistance and require a fresh policy check before tool use.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.