Remove it when the agent cannot be tied to a legitimate business need, when it inherits credentials that exceed the task it performs, or when the installation path bypassed governance controls. In practice, the decision should be based on documented access reach, deployment evidence, and whether the owner can justify continued use.
#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.