Intent-dimension drift is the gradual loss of separation between user, system, model, and external content during agent execution. When those layers bleed into one another, the organisation can no longer explain whether the agent acted on instruction, contamination, or misalignment, which weakens governance and incident response.
Expanded Definition
Intent-dimension drift describes a failure in agentic execution where the boundaries between user intent, system instructions, model output, and retrieved external content become blurred. In NHI and agent governance, that blur matters because the organisation can no longer reliably explain why the agent acted, which input layer influenced the action, or whether the action was legitimate. Unlike a simple prompt injection event, drift is often cumulative: a sequence of retrieved documents, tool outputs, memory artifacts, and policy exceptions gradually erodes separation until the agent’s behaviour no longer maps cleanly to a single source of authority.
Definitions vary across vendors, but the operational concern is consistent: once an agent starts treating external content as if it were instruction, or user intent as if it were system policy, governance breaks down. The closest standards language comes from control-focused guidance such as the NIST Cybersecurity Framework 2.0, which emphasises controlled, traceable, and resilient system behaviour rather than agent-specific terminology. Intent-dimension drift is commonly misunderstood as a model quality problem when it is actually a control-plane and provenance problem. The most common misapplication is treating mixed-source agent output as ordinary hallucination, which occurs when responders fail to separate instruction contamination from retrieval contamination.
Examples and Use Cases
Implementing controls against intent-dimension drift rigorously often introduces extra routing, provenance checks, and logging overhead, requiring organisations to weigh execution speed against the need for explainable agent behaviour.
- An AI agent reads a customer ticket, a policy document, and a stale internal note, then uses the stale note as if it were current operator instruction.
- A support automation agent combines user text with retrieved knowledge-base content and overwrites approval logic because the retrieval layer was not isolated from the system layer.
- A sales workflow agent follows instructions embedded in a third-party page and sends an external API request that was never authorised by the original user request.
- The Salesloft OAuth token breach illustrates how trust placed in an adjacent execution context can turn into broad downstream exposure when boundaries are not preserved.
- Guidance aligned to the NIST Cybersecurity Framework 2.0 can be used to require provenance logging, decision traceability, and response isolation across each agent step.
In practice, teams use the term when reviewing agent traces, red-teaming prompt chains, or assessing whether a retrieval-augmented workflow has clean separations between instructions, evidence, and tool execution.
Why It Matters in NHI Security
Intent-dimension drift matters because agents often operate with NHI credentials, service tokens, or delegated authority, which means a confused execution path can become an actual security event. Once separation collapses, incident responders cannot easily tell whether a token was used according to policy, whether a tool call was contaminated by external content, or whether the agent has simply drifted beyond its intended operating scope. That uncertainty complicates containment, forensics, and access revocation.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and that visibility gap becomes more damaging when agent behaviour is ambiguous. The same visibility weakness that hides ordinary NHI misuse also makes it harder to detect when a chain of agent actions has crossed from valid task completion into contaminated execution. Controls discussed in the Ultimate Guide to NHIs are especially relevant here because lifecycle governance, secret handling, and least privilege all reduce the blast radius when an agent’s intent boundary fails. This is not just a design concern. Organisations typically encounter intent-dimension drift only after a suspicious action, at which point the lack of clean provenance makes it operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI guidance addresses prompt contamination, tool misuse, and execution boundary failures. | |
| OWASP Non-Human Identity Top 10 | NHI-06 | NHI governance covers traceability and misuse patterns when non-human identities drive agent actions. |
| NIST CSF 2.0 | DE.CM | Continuous monitoring supports detection of anomalous or contaminated agent behaviour. |
Separate instruction, retrieval, and tool layers; log each transition so drift can be detected and contained.
Related resources from NHI Mgmt Group
- What is the difference between logging actions and logging intent for AI agents?
- How should security teams think about a compromised integration like Drift?
- How can security teams reduce privilege drift in Kubernetes RBAC?
- What is the difference between role-based access and intent-based access for agents?
