What breaks is the assumption that access is stable, reviewable, and tied to a single human owner. AI agents can call tools, change scope, and execute within runtime workflows, so standard IAM review cycles may miss the real moment of risk. Governance needs to move closer to execution and delegated authority.
Why This Matters for Security Teams
Standard IAM is built around stable identities, predictable entitlements, and periodic review. AI agents break that model because they operate inside live workflows, choose actions dynamically, and can chain tool calls in ways that are not obvious at provisioning time. The result is not just excess permission, but misaligned delegation: an agent may appear compliant on paper while still being able to reach sensitive data, invoke downstream tools, or expand scope at runtime.
This is why agent governance is increasingly framed through OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework, not just access review checklists. NHIMG research on AI Agents: The New Attack Surface report shows why this matters operationally: 80% of organisations report their AI agents have already performed actions beyond intended scope, yet only 44% have implemented policies to govern them. In practice, many security teams encounter the breach after an agent has already used valid access to do something unexpected, rather than through intentional review.
How It Works in Practice
The core failure is treating an AI agent like a person with a fixed job description. A human user can be mapped to RBAC roles and reviewed periodically. An agent, by contrast, needs authority that is tied to a task, a context, and an execution window. Best practice is evolving toward runtime decisioning, short-lived credentials, and workload identity instead of durable standing access.
That means three things matter most:
-
Workload identity should prove what the agent is at execution time, using mechanisms such as SPIFFE/SPIRE or OIDC-backed workload tokens, rather than assuming a human owner can vouch for every action.
-
JIT credentials should be issued per task, scoped narrowly, and revoked automatically when the workflow ends. Long-lived secrets make autonomous escalation far easier.
-
Policy evaluation should happen at request time, not only during onboarding. Current guidance suggests policy-as-code approaches, such as OPA or Cedar, because the relevant context is the actual action the agent is attempting now.
NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because it frames identity as something that must be continuously governed, not just issued. The same logic appears in CSA MAESTRO agentic AI threat modeling framework and the NIST AI Risk Management Framework, both of which emphasize context, monitoring, and lifecycle controls over static trust. These controls tend to break down when an agent can discover new tools during execution, because preapproved scopes no longer match the actual sequence of actions.
Common Variations and Edge Cases
Tighter delegated access often increases operational overhead, requiring organisations to balance speed against containment. That tradeoff becomes sharper when agents are allowed to act across multiple systems, because each additional tool multiplies the number of decision points that must be controlled.
There is no universal standard for this yet. Some teams use a hybrid model: a baseline agent identity with per-action authorization checks, plus human approval only for high-impact steps. Others place hard limits on tool classes, such as read-only access by default and separate approval for write, delete, or transfer actions. The right pattern depends on whether the agent is assisting a workflow, fully executing it, or coordinating with other agents.
Edge cases also matter. Shared agents, multi-tenant deployments, and vendor-hosted orchestration layers make owner-based accountability weaker, because the person who requested the agent is not always the person who can explain its runtime behaviour. NHIMG’s Top 10 NHI Issues and the OWASP Non-Human Identity Top 10 both reinforce the same operational point: if the identity is non-human, governance must account for machine speed, machine sprawl, and machine error. In the most fragile environments, static IAM breaks down when an agent inherits broad API keys and can move from a harmless lookup to a sensitive write action without a fresh policy decision.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Agentic systems need runtime authorization and tool-scope limits. |
| CSA MAESTRO | N/A | MAESTRO focuses on threat modeling agent workflows and delegated authority. |
| NIST AI RMF | AI RMF addresses governance, monitoring, and accountability for AI risk. |
Apply GOVERN and MAP practices to define oversight, context, and escalation controls.
