Unknown agents bypass the normal lifecycle steps that make access governable, including approval, recertification, and offboarding. They may still hold production-level access, which means the security team is managing execution without governance evidence. The risk is not just misuse, but the inability to show who owns the identity or why it exists.
Why Unknown Agents Are Riskier Than Approved Ones
Unknown AI agents create a higher identity risk because they sit outside the controls that make access accountable. Approved agents are usually tied to ownership, intended use, and review cycles, even if those controls are imperfect. Unknown agents bypass that structure, so defenders inherit execution without governance evidence. That is especially dangerous in agentic environments where tool use, token exchange, and autonomous chaining can expand impact faster than human workflows.
Current guidance from OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework points toward runtime accountability, not just pre-approval. NHIMG research on the 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect a breach of non-human identities, which is a reminder that identity sprawl is already a live operational problem. In practice, many security teams encounter unknown agents only after they have already accessed production systems rather than through intentional onboarding.
How Organisations Should Govern Unapproved AI Identities
The practical issue is not whether an agent exists, but whether its identity can be verified, constrained, and revoked at runtime. Static, role-based access models struggle here because autonomous agents do not follow fixed human job patterns. Their actions are goal-driven, context-sensitive, and often unpredictable, which makes pre-defined entitlements too coarse for real control.
Security teams should treat workload identity as the primary identity primitive for agents, using cryptographic proof of what the agent is, not just a long-lived secret. Standards such as SPIFFE and runtime policy engines aligned with NIST Cybersecurity Framework 2.0 support this pattern better than static IAM alone. Current best practice is to issue short-lived, just-in-time credentials per task, evaluate policy at request time, and revoke access automatically when the task ends. That is consistent with the direction of the CSA MAESTRO agentic AI threat modeling framework and the NHIMG OWASP NHI Top 10.
- Require an owner, purpose, and expiry for every agent identity.
- Prefer ephemeral tokens and secrets over standing credentials.
- Validate tool access at runtime with policy-as-code.
- Log task context, not just authentication success.
- Revoke credentials when the task, model, or environment changes.
These controls tend to break down in highly dynamic multi-agent pipelines because one agent can create, delegate to, or inherit trust from another faster than review workflows can keep up.
Where the Risk Model Breaks Down in Real Environments
Tighter identity governance often increases operational overhead, requiring organisations to balance faster agent deployment against stronger control evidence. That tradeoff is real, especially where teams are experimenting with autonomous assistants before standards have fully settled. There is no universal standard for this yet, so current guidance suggests using layered controls rather than assuming a single IAM policy will solve it.
Two common edge cases deserve attention. First, approved agents can still become high risk if their scopes are too broad or their secrets are reused across environments. Second, unknown agents may be discovered through logs, API traffic, or incident response only after they have already chained tool access in ways the original operator did not anticipate. NHIMG analysis in the 52 NHI Breaches Analysis and the broader Ultimate Guide to NHIs show that governance failures often emerge from identity lifecycle gaps, not from a single bad credential. The practical answer is to assume unknown agents are untrusted until they can prove workload identity, purpose, and revocation path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Covers agent misuse when identity and intent are not governed at runtime. |
| CSA MAESTRO | GOV-2 | Addresses agent ownership, oversight, and lifecycle controls for autonomous systems. |
| NIST AI RMF | GOVERN | Emphasises accountability and traceability for AI system behaviour. |
Require runtime authorization and scoped tool access for every autonomous agent action.
