Accountability should sit with the business owner, but enforcement must be shared across HR, IT, and Security. HR defines the workforce event, IT removes access paths, and Security verifies the agent is no longer active. If those functions are split, the organisation will usually discover the problem only after the agent has already outlived the employee.
Why This Matters for Security Teams
A zombie agent is not just a stale account issue. It is an active software identity that can keep calling tools, moving data, and triggering workflows after the employee who created or approved it has left. That makes workforce offboarding an identity, secrets, and automation problem at the same time. Current guidance suggests treating the agent as a distinct NHI with its own lifecycle, not as a side effect of human access removal, a view reinforced in Ultimate Guide to NHIs and the OWASP Agentic AI Top 10.
Accountability matters because a human manager can leave, but a long-lived token, API key, or delegated workflow may continue to execute unless someone owns revocation, validation, and post-exit monitoring. NIST’s AI Risk Management Framework aligns with the operational reality that agentic systems need explicit governance across the full lifecycle, not only during build and deployment. In practice, many security teams encounter zombie agents only after an HR exit has already been processed and the automation trail still remains live.
How It Works in Practice
In practical terms, accountability should be assigned to the business owner, but enforcement has to be shared. HR is responsible for the workforce event, IT is responsible for removing account paths, and Security is responsible for confirming the agent cannot still authenticate, refresh, or act through delegated access. That shared model is consistent with CSA MAESTRO agentic AI threat modeling framework and NHIMG coverage of agent key abuse in Moltbook AI agent keys breach.
A workable offboarding control set usually includes:
- Inventorying every agent, service account, token, and workflow the employee could influence.
- Binding each agent to a named business owner and an operational custodian.
- Revoking refresh tokens, certificates, API keys, and delegated scopes at exit time.
- Checking whether the agent has backup credentials, secrets manager entries, or CI/CD triggers that can re-enable it.
- Verifying inactivity through logs, not just ticket closure.
Workload identity helps here because the control is not only about removing a password; it is about proving what the agent is at runtime, then shutting down that proof when the human relationship ends. For agents, static RBAC is often too blunt because behaviour can change by task, context, or tool chain. Best practice is evolving toward short-lived credentials, policy-as-code, and runtime authorization checks rather than a one-time access review. NHIMG’s AI LLM hijack breach coverage shows why delayed revocation becomes dangerous when credentials are reused quickly.
These controls tend to break down in environments where agents share secrets across teams, because a single offboarding event cannot reliably invalidate every downstream copy.
Common Variations and Edge Cases
Tighter offboarding often increases operational overhead, requiring organisations to balance clean revocation against automation continuity. That tradeoff is especially visible when the agent supports customer-facing workflows, research pipelines, or code generation systems that cannot simply be paused for manual review. There is no universal standard for this yet, but current guidance suggests treating high-impact agents differently from low-risk internal automations.
Edge cases usually involve one of three conditions: shared service accounts, orphaned secrets in secret stores, or agents that can self-trigger through scheduled jobs and webhooks. A person may leave, but the workflow can remain active if another system still holds the token or if the agent can mint a fresh one from an unchanged trust path. That is why the accountability question should not be answered with a single name alone. The business owner is accountable for the outcome, while HR, IT, and Security each own specific control points.
For mature programs, the question becomes whether exit controls are tested the way access controls are tested. The State of Secrets in AppSec research underscores why this matters: leaked or fragmented secrets are slow to remediate, and that same pattern appears when zombie agents are left with usable credentials after offboarding. If the organisation cannot prove revocation within minutes or hours, not days, then the agent has effectively outlived the employee.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential lifecycle and revocation for non-human identities. |
| OWASP Agentic AI Top 10 | A-05 | Agentic systems need runtime controls when humans leave. |
| CSA MAESTRO | GOV-02 | Governance ownership is central to agent lifecycle accountability. |
| NIST AI RMF | GOVERN | AI governance requires accountability across the system lifecycle. |
Establish lifecycle accountability, offboarding checks, and evidence-based monitoring for agents.
