Start with the failure mode that would cause the biggest governance breach. If the main risk is side effects or privilege expansion, tighten tool controls. If the main risk is data retention or cross-session contamination, tighten memory controls. In many deployments, both need separate boundaries and separate review points.
Why This Matters for Security Teams
Agents change the control question from “who can log in?” to “what can this autonomous workload do right now, and what data can it carry forward?” That distinction matters because tools and memory fail in different ways. Tool abuse creates side effects, lateral movement, and privilege expansion. Memory abuse creates retention risk, prompt injection persistence, and cross-session contamination. Current guidance increasingly treats these as separate control planes, especially in agentic systems covered by the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.
The practical mistake is to apply one blanket “agent policy” and assume it covers both execution authority and state handling. It usually does not. An agent with modest tool permissions but broad memory can still leak sensitive context into later tasks. An agent with strict memory but broad tool access can still trigger destructive actions or chain systems in ways no static role model anticipated. NHI governance data from NHI Mgmt Group shows that 97% of NHIs carry excessive privileges, which is a useful warning sign when teams overgrant agent tool access under time pressure. In practice, many security teams discover these control gaps only after an agent has already acted on the wrong data or the wrong tool chain has already been executed.
How It Works in Practice
The cleanest way to decide is to map the likely failure mode to the control boundary that contains it. If the biggest concern is action, focus on tools. If the biggest concern is state, focus on memory. For tools, that means scoping the agent to the minimum set of APIs, commands, and actions required for the task, then adding approval gates for high-impact operations. For memory, that means deciding what can be retained, for how long, and whether stored context can be reused across sessions, users, or tasks.
In agentic systems, the most robust pattern is to separate identity, authorization, and state. Workload identity should prove what the agent is, while runtime policy should decide what it may do in this moment. That is why many implementations lean toward intent-aware authorization, short-lived credentials, and request-time evaluation rather than static RBAC alone. The Ultimate Guide to NHIs — Standards is a useful reference for this broader governance model, while the OWASP NHI Top 10 connects control failure to real-world identity abuse patterns.
- Tighten tool controls when the agent can call payment, production, admin, or exfiltration-capable systems.
- Tighten memory controls when prompts, retrieved context, or conversation history may contain regulated or cross-tenant data.
- Use separate review points for tool grants and memory retention, because they age on different timelines.
- Prefer ephemeral, task-scoped access for tools, and bounded retention windows for memory.
Where this guidance breaks down is in long-running, multi-step agents that both retrieve sensitive context and then execute downstream actions, because the memory-to-tool chain makes one boundary depend on the other.
Common Variations and Edge Cases
Tighter controls often increase latency, approval overhead, and operational friction, so organisations have to balance safety against task completion speed. That tradeoff is especially sharp in production copilots, customer-facing agents, and multi-agent workflows where one agent’s output becomes another agent’s input.
There is no universal standard for this yet, but current guidance suggests a few patterns. If memory is only needed for a single task, keep it ephemeral and purge it on completion. If memory supports user experience across sessions, classify it as durable state and apply stronger access, redaction, and retention controls. If tools are low risk but memory is sensitive, the memory boundary deserves the stricter policy. If tools can mutate systems or trigger external effects, the tool boundary should be treated as the primary control point.
Edge cases appear when agents use retrieval-augmented generation, shared workspaces, or delegated sub-agents. In those environments, a “safe” memory store can still become dangerous if downstream tools trust it blindly, and a “safe” tool list can still be misused if the agent is fed poisoned context. This is why the agentic view in the OWASP Agentic Applications Top 10 and the control-oriented framing in the CSA MAESTRO agentic AI threat modeling framework both matter: one governs action, the other governs persistence, and mature programs need both.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agent tool misuse and unsafe autonomy are central to choosing controls. |
| CSA MAESTRO | MAESTRO frames agentic risk across tools, memory, and orchestration. | |
| NIST AI RMF | AI RMF supports governance of autonomous behavior and state handling. |
Limit tool authority to task scope and require runtime checks for risky actions.
Related resources from NHI Mgmt Group
- How do organisations decide whether an AI workflow needs stricter controls?
- How do organisations decide whether an AI agent needs NHI controls, AI controls, or both?
- How do security teams decide whether an AI agent needs PAM-style controls?
- How do IAM teams decide whether an AI use case needs new controls or better NHI hygiene?
