They need to eliminate direct access paths that sit outside the policy layer, including shadow connectors and ad hoc integrations. Every agent request should be forced through the governed identity layer so the organisation keeps intent, policy enforcement, and auditability intact. If those signals are missing, governance is already incomplete.
Why This Matters for Security Teams
Agents do not behave like static service accounts. They chain tools, pursue goals, and can take actions that were never explicitly pre-approved in a role model. That is why bypasses often appear when teams rely on ad hoc connectors, hard-coded tokens, or “temporary” exceptions that never get folded back into policy. Current guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point to the same operational reality: identity controls must be evaluated at runtime, not assumed from deployment-time intent. NHI Management Group research shows this is not a niche problem, since only 5.7% of organisations have full visibility into service accounts in the Ultimate Guide to NHIs. In practice, many security teams discover bypass paths only after an agent has already used them to reach data or infrastructure that was never meant to be in scope.
How It Works in Practice
Stopping bypasses starts with removing any direct path that can skip the governed identity layer. Every agent action should be brokered through policy, where the request is checked for identity, intent, context, and destination before a short-lived credential is issued. That means replacing long-lived static secrets with JIT credentials, using workload identity as the primary trust anchor, and enforcing policy-as-code so decisions happen per request rather than per application release. For agentic systems, this is not a nice-to-have. It is the difference between a controlled execution path and an autonomous workload that can fan out into unintended access.
A practical design usually includes:
- a workload identity for the agent, such as an OIDC-backed token or SPIFFE/SPIRE-style proof of workload identity;
- a policy engine that evaluates the agent’s stated intent against approved actions, data classes, and tool scope;
- ephemeral secrets with tight TTLs, automatically revoked after task completion;
- central logging that records what the agent asked for, what was granted, and why.
This is consistent with the CSA MAESTRO agentic AI threat modeling framework and the OWASP NHI Top 10, which both emphasise tool misuse, privilege escalation, and uncontrolled agent autonomy. NHI Mgmt Group also notes that 70% of organisations grant AI systems more access than they would give a human employee in the Lifecycle Processes for Managing NHIs, which is exactly the kind of mismatch that bypasses governance. These controls tend to break down when legacy integrations still authenticate outside the broker, because the agent can keep using the old path even after the new policy layer exists.
Common Variations and Edge Cases
Tighter control often increases latency and integration overhead, requiring organisations to balance governance against operational speed. There is no universal standard for agent intent scoring yet, so best practice is evolving rather than settled. Some environments will need a stricter model, especially where agents can approve changes, deploy code, or access regulated data. In those cases, current guidance suggests pairing zero standing privilege with per-task approval, and using step-up checks for higher-risk actions rather than giving the agent broad standing authority.
The main edge cases are hybrid estates and vendor-managed connectors. If a SaaS integration, CI/CD runner, or shadow MCP endpoint can still authenticate with a token outside PAM, the policy layer is only partially effective. The same risk appears when teams treat a “helper agent” as low risk and skip intent-based authorisation because the workload seems narrow at first. That assumption fails once the agent can call a second tool, request a new secret, or pivot into adjacent systems. The 52 NHI Breaches Analysis and NIST Cybersecurity Framework 2.0 both support the same practical takeaway: govern the identity path, the secret lifecycle, and the audit trail together, or bypasses will simply move to the weakest integration point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent tool abuse and privilege escalation map directly to bypass risks. |
| CSA MAESTRO | MAESTRO covers threat modeling for autonomous agents and control bypass paths. | |
| NIST AI RMF | GOVERN | GOVERN assigns accountability for runtime oversight of autonomous AI behaviour. |
Restrict tools at request time and block any agent action not justified by approved intent.
