KYC and KYE verify identity at entry, but AI agents create risk at execution time. An agent can hold valid credentials and still act beyond intended scope if no control exists at the moment of consequence. That is why organisations need a distinct model for agent identity, authority and traceability.
Why This Matters for Security Teams
KYC and KYE are useful entry controls, but they are not execution controls. For AI agents, the real risk appears after onboarding, when a valid identity can still be used to chain tools, call APIs, or act outside the intent of the task. That is why agent governance must shift from “who was approved” to “what is this agent allowed to do right now.” Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point toward runtime controls, not just enrollment checks.
NHI Management Group has repeatedly highlighted how exposed or overused credentials become the real failure point in AI-driven environments, including in its AI LLM hijack breach research and the OWASP NHI Top 10 coverage. In practice, many security teams discover this only after an agent has already used legitimate access in an unintended way, rather than through intentional testing of the task boundary.
How It Works in Practice
KYC verifies a human or organisation at onboarding. KYE extends that logic to “know the enterprise” using vetting, ownership and provenance. Neither model is sufficient when the workload itself is autonomous. An AI agent can start with a legitimate identity, then vary its actions based on prompt content, tool output, and environmental context. The control point therefore needs to move to the moment of execution.
Practically, that means treating the agent as a workload identity and issuing authority only when the request is understood. Current best practice is evolving toward intent-based authorisation, short-lived credentials, and policy evaluated at request time. That is consistent with the direction set by the CSA MAESTRO agentic AI threat modeling framework, the NIST AI Risk Management Framework, and NHI research on exposed secrets in the The State of Secrets in AppSec report.
- Use workload identity primitives such as OIDC or SPIFFE/SPIRE so the agent proves what it is before any tool call.
- Issue JIT secrets per task, with tight TTLs and automatic revocation when the task completes.
- Evaluate permissions at runtime with policy-as-code instead of relying only on static RBAC.
- Separate task approval from authority approval so the same agent does not inherit open-ended access.
- Log tool use, data access, and delegation steps so an investigator can reconstruct what happened later.
This approach aligns with the threat pattern described in NHI research such as the Moltbook AI agent keys breach, where exposed keys became the enabler for downstream abuse. These controls tend to break down when agents operate across multiple SaaS tools and untrusted plugins because the policy boundary becomes fragmented.
Common Variations and Edge Cases
Tighter runtime control often increases friction, so organisations have to balance speed against containment. That tradeoff is real in agentic systems because some workflows need broad tool access for a short period, while others need narrow access for a longer sequence of steps.
There is no universal standard for this yet, especially for multi-agent pipelines, delegated sub-agents, and human-in-the-loop escalation paths. Some teams treat KYE as a procurement control and then add separate agent guardrails for execution. Others collapse everything into identity proofing, which is usually too coarse. The more robust pattern is to combine identity verification, workload authentication, and context-aware policy at each action boundary, not just at signup.
Best practice is also evolving around shadow agents and indirect access. A main agent may be well governed, while a subordinate agent, browser extension, or tool plugin inherits credentials and exceeds the intended scope. That is why NHIMG’s Ultimate Guide to NHIs — Standards and the external NIST SP 800-63 Digital Identity Guidelines are useful starting points, but not complete answers for autonomous systems. In high-friction environments such as regulated operations, long-running research agents, or customer-facing copilots, KYC and KYE should be treated as one input to governance, not the governance model itself.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent misuse is central when valid identities act beyond intended scope. |
| CSA MAESTRO | TR-3 | MAESTRO addresses agentic threat modeling and execution-time control gaps. |
| NIST AI RMF | GOVERN | AI RMF governance covers accountability and oversight for autonomous agents. |
Model tool chaining, delegation, and escalation before granting agent authority.
Related resources from NHI Mgmt Group
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- Why do traditional VPN and OAuth controls fall short for AI agents?
- Why do standard RBAC controls fail for AI agents in workflow tools?
- Which identity controls matter most when AI agents enter production workflows?
