A pattern where employees build and deploy AI agents outside central security review. These agents often connect directly to enterprise systems, creating identity, access, and accountability issues that look like shadow IT but behave more like shadow AI.
Expanded Definition
Bring Your Own Agents (BYOA) describes a workplace pattern where employees create or deploy autonomous AI agents outside central review, then let them operate with real enterprise access. In NHI security, the issue is not just that the agent exists, but that it may inherit tokens, API keys, browser sessions, or delegated permissions without any formal lifecycle controls. That makes BYOA a governance problem as much as a technical one.
Definitions vary across vendors, but the security concern is consistent: the agent can act independently, call tools, move data, and trigger workflows without clear ownership or approved policy boundaries. NHI Management Group treats BYOA as a shadow AI extension of shadow IT, with higher risk because the software may self-direct rather than merely execute static scripts. The most useful lens is to compare it with agent governance guidance in the OWASP Top 10 for Agentic Applications 2026 and the NIST AI Risk Management Framework, both of which emphasize controlled access, accountability, and lifecycle oversight.
The most common misapplication is treating BYOA as a harmless productivity experiment when an employee connects an unreviewed agent to production systems with standing credentials.
Examples and Use Cases
Implementing oversight for BYOA rigorously often introduces friction for employees, requiring organisations to weigh speed of experimentation against the cost of review, approval, and monitoring.
- An analyst builds an internal research agent that queries CRM data and sends summaries to a chat workspace, but no one has validated the agent’s tool permissions or retention behavior.
- A developer uses a personal automation agent to open tickets, update cloud resources, and read logs through long-lived API keys, creating an unmanaged service identity.
- A sales team member deploys a custom agent with access to email and shared drives, then forwards the workflow to colleagues without security review or offboarding rules.
- A business user connects a browser-based agent to a finance portal using a session token, then assumes the token will expire before the agent can reuse it elsewhere.
These situations map closely to the risk patterns discussed in NHI Management Group’s OWASP NHI Top 10 analysis and the NIST AI Risk Management Framework, which both stress that tool access must be intentional, bounded, and traceable.
Why It Matters in NHI Security
BYOA matters because every unreviewed agent can become a durable non-human identity with its own access path, privilege footprint, and audit gap. NHI Management Group reports that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, which makes unmanaged agents a direct obstacle to Zero Trust enforcement. When BYOA is ignored, organisations lose visibility into what data the agent touched, which secrets it used, and whether it should still exist after the employee changes roles or leaves.
The risk also extends to compromise propagation. A single exposed agent key can be reused across systems, especially when the agent has broad tool access or inherited permissions that were never designed for autonomous execution. The result is a blend of identity sprawl, privilege accumulation, and weak accountability that security teams often discover only after a suspicious workflow, data exfiltration, or anomalous API activity has already occurred. Organisations typically encounter BYOA as an incident-response problem only after an unapproved agent has already been used to access sensitive systems, at which point identity governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent autonomy and tool misuse are core agentic AI risks in BYOA. |
| OWASP Non-Human Identity Top 10 | NHI-02 | BYOA often creates unmanaged secrets and service identities. |
| NIST AI RMF | AI RMF covers governance, mapping, and monitoring for AI systems. |
Require approval, tool scoping, and monitoring before any employee agent reaches enterprise systems.
