Agent discovery is the process of finding every AI agent across cloud platforms, low-code tools, repositories, and deployment pipelines. It matters because governance cannot start until the organisation can see where the agent exists, who owns it, and what it can reach.
Expanded Definition
Agent discovery is the discipline of identifying every AI agent instance, including agents embedded in low-code workflows, CI/CD automation, code repositories, cloud services, and managed platforms. In NHI governance, discovery is not just inventory. It is the starting point for understanding ownership, execution scope, credential usage, and downstream access paths.
Definitions vary across vendors because some teams treat discovery as a scanning exercise, while others include continuous classification and trust evaluation. NHI Management Group treats agent discovery as a lifecycle control that supports visibility, attestation, and oversight, consistent with the governance intent found in the NIST AI Risk Management Framework and the risk focus in the OWASP Agentic AI Top 10.
Strong discovery practice also ties into the broader NHI lifecycle described in the NHI Lifecycle Management Guide, because an agent that cannot be found cannot be reviewed, rotated, revoked, or monitored. The most common misapplication is assuming an application inventory is equivalent to agent discovery, which occurs when teams overlook agents created inside pipelines, notebooks, and automation tools.
Examples and Use Cases
Implementing agent discovery rigorously often introduces operational overhead, requiring organisations to balance better visibility against the cost of continuous scanning and ownership validation.
- Security teams scan cloud tenants to detect autonomous agents with API access, then map each one to a business owner and an approved purpose.
- Platform engineers identify agents generated by low-code tools and compare them against approved service accounts to prevent shadow automation.
- DevSecOps teams trace agents defined in repositories and CI/CD pipelines, using OWASP NHI Top 10 risk patterns and MITRE ATLAS adversarial AI threat matrix concepts to prioritise exposed workflows.
- Governance teams reconcile discovered agents against IAM records to find stale, duplicated, or unowned identities before access sprawl turns into breach exposure.
- NHI programs use discovery reports to trigger onboarding controls, secret reviews, and offboarding when an agent is no longer tied to an active service.
NHI Management Group research shows only 5.7% of organisations have full visibility into their service accounts, which is why discovery is often the first meaningful control gap to close. That visibility gap becomes even more consequential when agents inherit privileged credentials from pipelines or orchestration tools, as described in the Top 10 NHI Issues.
Why It Matters in NHI Security
Agent discovery matters because governance cannot protect what it cannot enumerate. Undiscovered agents often retain secrets, call sensitive APIs, and operate with privileges that no one has formally reviewed. That creates blind spots for Zero Trust enforcement, access review, and incident response. In practice, discovery is what turns scattered automation into a manageable identity population.
Without discovery, organisations cannot reliably answer who created an agent, where it runs, what data it can reach, or whether its credentials are still valid. That uncertainty is dangerous because agentic systems may act faster than human operators can detect, especially when paired with the kinds of exposure patterns documented in the Ultimate Guide to NHIs. This is also why discovery aligns with the control intent behind the CSA MAESTRO agentic AI threat modeling framework and the NIST AI Risk Management Framework.
Organisations typically encounter the need for agent discovery only after an incident reveals an unowned agent with live credentials, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery is foundational to identifying non-human identities before control hardening begins. |
| OWASP Agentic AI Top 10 | Agentic AI guidance requires visibility into autonomous agents and their tool access paths. | |
| NIST AI RMF | NIST AI RMF emphasises mapping, measuring, and governing AI systems throughout their lifecycle. |
Continuously discover agents and map their execution scope, credentials, and external integrations.
