Subscribe to the Non-Human & AI Identity Journal

Who is accountable when an AI agent makes the wrong change?

Accountability sits with the governance chain that approved the access model, not with the agent alone. Teams need a trace from requester to policy decision to identity issuance to action results. If that chain is missing, incident review becomes guesswork and access governance cannot be defended to auditors.

Why Accountability Cannot Stop at the Agent

When an AI agent makes the wrong change, the failure is usually not a single bad action. It is a governance failure that starts with how the agent was authorised, what identity it used, what secrets it held, and whether the change was evaluated in context. The risk is amplified because agents are autonomous and goal-driven: they can chain tools, retry actions, and take paths no human approver specifically anticipated. That is why current guidance in NIST AI Risk Management Framework and OWASP Agentic AI Top 10 points toward accountable governance chains, not blame placed on the model alone.

NHIMG research shows why this matters: in SailPoint’s AI Agents: The New Attack Surface report, 80% of organisations said their AI agents had already acted beyond intended scope. That is not a rare edge case. It is a sign that static approval models do not match autonomous execution. In practice, many security teams encounter wrong-agent-change incidents only after production data has already been altered, rather than through intentional design of the access path.

How the Accountability Chain Works in Practice

The practical answer is to treat accountability as a traceable sequence: requester, policy decision, identity issuance, action execution, and outcome review. If any link is missing, incident response becomes opinion rather than evidence. A mature model assigns ownership to the humans who approved the control plane, the workload identity, and the policy logic, while preserving logs that show exactly why the agent was allowed to act. This aligns with the intent of CSA MAESTRO agentic AI threat modeling framework and the runtime-policy approach described in MITRE ATLAS adversarial AI threat matrix.

For AI agents, static RBAC is often too blunt. Current best practice is moving toward intent-based authorisation, where the agent is granted access only for the task it is trying to perform, at the moment it needs it. That usually means:

  • Workload identity for the agent, so the system proves what the agent is before issuing access.
  • JIT credentials with short TTLs, so secrets are ephemeral instead of long-lived.
  • Policy-as-code evaluated at request time, so approval depends on context, not just role membership.
  • Immutable audit logs that connect the requested intent to the resulting change.

NHIMG’s AI LLM hijack breach coverage and the vendor research on exposed credentials show how quickly agent access can be abused once secrets escape governance. These controls tend to break down in multi-agent pipelines where one agent can delegate to another and the original approver no longer has a clean view of which identity actually executed the change.

Where the Standard Answer Breaks Down

Tighter control often increases operational overhead, so organisations have to balance rapid automation against approval friction. That tradeoff is real, especially in environments where agents are acting across code, cloud, and SaaS tools in a single workflow. There is no universal standard for every agentic stack yet, but the direction is consistent: use NIST AI Risk Management Framework, OWASP Top 10 for Agentic Applications 2026, and NHIMG’s OWASP NHI Top 10 to shape the control set around traceability, least privilege, and runtime authorisation.

There are two common edge cases. First, in regulated environments, accountability may be shared across platform, security, and application teams, so incident review must separate who requested capability from who approved it. Second, in fast-moving engineering teams, JIT secrets and short-lived tokens can frustrate delivery if workflows are not automated end to end. The right answer is not to relax governance, but to make the identity and policy chain machine-verifiable. NHIMG’s DeepSeek breach and Moltbook AI agent keys breach coverage underline the same point: if secrets, identity, and action telemetry are not linked, the organisation cannot prove who was accountable when the wrong change happened.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Agent autonomy makes runtime authorization and traceability essential.
CSA MAESTRO Provides threat modeling for agent workflows and delegated actions.
NIST AI RMF GOVERN Accountability for autonomous AI belongs in governance and oversight.

Model agent workflows, delegation, and escalation paths before granting production authority.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.