The gap between what an AI agent was meant to do and what it actually decides to do during a live session. This matters because the identity may remain valid while the action path changes, making static permission reviews insufficient for real control.
Expanded Definition
Runtime intent drift describes a live-session mismatch between an agent’s approved purpose and the decisions it makes once execution begins. In NHI and agentic AI governance, the issue is not whether the identity is valid, but whether the NIST Cybersecurity Framework 2.0-aligned controls still constrain the agent’s actual tool use, data access, and action sequencing. The term is closely related to policy drift and prompt-induced deviation, but runtime intent drift is broader because it covers the full execution path, including tool chaining, context inheritance, and autonomous re-planning. Definitions vary across vendors because some treat it as a model behavior problem while others treat it as an access governance problem. NHI Management Group treats it as an operational control gap: the approved identity remains intact while the intent attached to that identity changes during execution. This is especially important when an agent inherits broad permissions, because static approvals cannot reliably predict what it will do after new context appears. The most common misapplication is assuming that a correctly authenticated agent is automatically acting within scope, which occurs when runtime decisions are not continuously evaluated against task intent.
Examples and Use Cases
Implementing runtime intent controls rigorously often introduces latency and monitoring overhead, requiring organisations to weigh execution speed against stronger containment of unexpected agent actions.
- An internal support agent starts with a ticket-summary task, then expands into account-level data pulls after a user mentions a related issue.
- A code assistant approved for read-only analysis begins proposing and invoking deployment actions because the session context includes privileged tool access.
- A procurement bot meant to compare vendors starts exporting customer records after being redirected by a malformed prompt or stale conversation state.
- A delegated automation workflow remains authenticated through a valid NHI, but its branching logic selects a higher-risk API path than the one originally reviewed.
- The Salesloft OAuth token breach illustrates how valid access can still be abused when session-level trust is not matched to actual use, a pattern that mirrors runtime drift concerns in agentic environments.
Where the term is discussed in standards and guidance, it is usually adjacent to dynamic authorization, continuous verification, and policy enforcement for AI systems. For implementation context, teams also reference the NIST Cybersecurity Framework 2.0 to anchor monitoring and response expectations around identity, access, and anomalous behavior.
Why It Matters in NHI Security
Runtime intent drift is dangerous because NHI controls often focus on who or what is authenticated, while the failure happens in what that identity does after authentication. That gap becomes more severe when agents hold broad privileges, reuse tokens across tasks, or operate inside long-lived sessions. NHI Management Group reports that 97% of NHIs carry excessive privileges, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In that environment, a valid credential is not enough to prove safe behavior. Runtime intent drift can turn a routine automation into an unauthorized data movement event, a destructive configuration change, or a compliance breach without any credential compromise at all. This is why continuous evaluation, tool-level guardrails, and session-bound scoping matter alongside traditional IAM reviews. The issue also reinforces broader zero-trust expectations discussed in the NIST Cybersecurity Framework 2.0 and the NHI governance lessons in Ultimate Guide to NHIs. Organisations typically encounter runtime intent drift only after an agent overreaches or exfiltrates data mid-session, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI guidance focuses on unsafe autonomous actions and tool misuse. | |
| OWASP Non-Human Identity Top 10 | NHI-05 | Runtime drift exposes the gap between valid identity and unsafe authorization use. |
| NIST CSF 2.0 | PR.AC-3 | Least privilege and access enforcement are directly stressed by drifting agent actions. |
Continuously validate NHI session behavior, not just credential status and initial access.
