Human-style access reviews break because they assume the subject is observable on a schedule and can be certified in a stable state. Agentic identities may change scope, act repeatedly, or finish a task before the next review cycle begins. As a result, the review process sees the wrong state or no useful state at all.
Why This Matters for Security Teams
Access reviews are designed for human subjects: people with relatively stable job functions, visible managers, and periodic certification cycles. Agentic identities do not behave that way. They can complete a task in minutes, invoke multiple tools, chain actions across systems, and alter their effective scope faster than a quarterly or even weekly review can capture. That makes the review itself a lagging control, not a reliable guardrail.
This is why NHIMG research on the AI Agents: The New Attack Surface report matters: it shows that a large share of organisations already see agent behaviour moving beyond intended scope, while many still lack audit visibility. The problem is not just excessive privilege, but mismatched assumptions about what is being certified. Human-style review asks, “Should this person keep this access?” Agentic governance must ask, “What is this workload allowed to do right now, in this context?” Current guidance from the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 points in that direction, but there is no universal standard for review cadence or certification format yet.
In practice, many security teams discover the mismatch only after an agent has already copied data, called a privileged API, or completed an unauthorised workflow before the next review cycle begins.
How It Works in Practice
When agentic identities are reviewed like human users, several controls fail at once. First, role-based access reviews assume a stable entitlement set. Agents are rarely stable: their permissions often vary by task, prompt, tool chain, or retrieval context. Second, certification workflows usually rely on manager attestation and business justification, but an autonomous workload may not have a durable human owner who can explain every runtime action after the fact. Third, reviewers can only validate what exists at review time, which is often stale by design.
Better practice is to treat the agent as a workload identity, not a person. That means tying the identity to cryptographic proof, such as OIDC-based workload tokens or SPIFFE/SPIRE-style identity, and issuing permissions just in time for a specific task. NHIMG’s OWASP NHI Top 10 and the Ultimate Guide to NHIs — 2025 Outlook and Predictions both reinforce the same operational point: static entitlements age badly for machine subjects. In practice, teams should combine:
- task-scoped, short-lived credentials with automatic expiry
- real-time policy decisions at request time, not only at review time
- explicit ownership for the workload, not just the platform team
- logs that capture intent, tool invocation, and downstream system impact
This aligns with evolving guidance from the CSA MAESTRO agentic AI threat modeling framework and the NIST AI Risk Management Framework, which both emphasize runtime risk controls and accountability. These controls tend to break down when agents are embedded in long-running, multi-step workflows with shared service accounts, because attribution and revocation become ambiguous across tool boundaries.
Common Variations and Edge Cases
Tighter review and certification for agentic identities often increases operational overhead, so organisations have to balance visibility against automation speed. That tradeoff is real, especially when agents support customer operations, software delivery, or security response.
One common edge case is the shared agent platform. If dozens of agents use one parent identity, a review may appear clean even while the underlying workloads have very different privileges. Another is delegation through plugins or tool wrappers, where the agent’s effective authority expands beyond the entitlement list seen by reviewers. Best practice is evolving here: some teams use per-agent identities, others use per-task identities, and some split the model by high-risk versus low-risk tool access. There is no universal standard for this yet, but the direction is clear.
NHIMG’s reporting on LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows why this matters: once credentials are exposed or reused, attackers move quickly. Human-style reviews do not meaningfully reduce that window for autonomous systems. The safer pattern is to minimise standing privilege, rotate secrets aggressively, and evaluate policy at runtime using the actual task context. That is also consistent with the OWASP Top 10 for Agentic Applications 2026, which treats uncontrolled agent actions as a core risk rather than a downstream exception.
In practice, review models break most severely in systems that let agents retain long-lived credentials across sessions, because the access that gets certified is no longer the access the agent is actually using.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic systems need runtime controls, not human-style periodic reviews. |
| CSA MAESTRO | GOV-2 | MAESTRO stresses governance and accountability for autonomous agent actions. |
| NIST AI RMF | AI RMF addresses risk management for dynamic AI behaviour and context. |
Replace static certification with task-scoped policy checks and short-lived agent credentials.
