Access reviews often miss agentic risk because they look for persistent entitlements rather than short-lived, behaviour-driven authority. An agent may obtain and use privilege inside a single workflow, leaving little to certify later. That means review cycles alone are not enough to prove governance, especially for high-impact actions.
Why Access Reviews Miss the Real Risk in Agentic Identities
Traditional access reviews are built to certify persistent entitlements, but agentic identities often create risk through short-lived, task-specific authority. The problem is not just whether an agent has access, but what it can do during a single workflow, which may include tool chaining, data movement, and privilege escalation. Current guidance suggests reviewing agent behaviour, not only assigned roles, because static certification cannot prove safe execution in autonomous systems.
This gap matters because agentic workloads are already behaving outside intended scope in many environments. NHIMG research in AI Agents: The New Attack Surface report found that 80% of organisations say their AI agents have already performed actions beyond their intended scope. That is exactly why access reviews become a weak control when they are used as the primary governance mechanism. The review may be clean even when the workflow was not.
Security teams also tend to overapply human IAM assumptions to autonomous systems. The right question is not “who should hold this role?” but “what did the agent invoke, with which context, and under what policy constraints?” In practice, many security teams encounter agent abuse only after the action has completed, rather than through intentional review cycles.
How It Works in Practice
For agentic identities, governance needs to shift from periodic certification to runtime control. Best practice is evolving toward workload identity, short-lived credentials, and real-time policy evaluation. Instead of granting broad standing entitlements and asking reviewers to bless them later, an organisation should issue ephemeral access per task, bound to the agent’s workload identity and the exact action being requested. Standards such as NIST AI Risk Management Framework and OWASP Agentic AI Top 10 both support the broader move toward context-aware control.
Operationally, that means access reviews should be supplemented with controls that answer four runtime questions:
- What identity proved this was the agent, not a spoofed caller?
- What task or intent justified the request?
- What resources were reachable for this exact transaction?
- What was automatically revoked when the task ended?
NHIMG guidance in the Ultimate Guide to NHIs and the 52 NHI Breaches Analysis shows the recurring failure pattern: long-lived secrets and broad entitlements outlive the workflow that justified them. That is why static certification is insufficient for autonomous systems. Reviews can confirm ownership, but they cannot reconstruct every decision an agent made mid-run. These controls tend to break down when agents can chain tools across multiple services because the effective privilege path is created dynamically, not pre-declared.
Common Variations and Edge Cases
Tighter agent controls often increase operational overhead, requiring organisations to balance governance quality against workflow latency and engineering complexity. That tradeoff becomes sharper in multi-agent systems, where one agent delegates to another and the access path is no longer obvious to reviewers.
There is no universal standard for this yet, but current guidance suggests three common variations. First, low-risk agents may be handled with frequent certification plus narrow standing entitlements, though that is only defensible when actions are truly limited. Second, higher-risk agents should use just-in-time credentials and policy-as-code enforcement, with approvals attached to the task rather than the role. Third, high-impact environments should treat agent identity as a workload identity problem, using cryptographic proof and continuous telemetry instead of relying on review evidence alone.
Edge cases include agents that operate across human and machine contexts, shared service identities, and shadow agents created by developers outside central IAM. In those environments, an access review may still help with inventory and accountability, but it cannot be the control that proves safety. For practical threat modeling, CSA MAESTRO agentic AI threat modeling framework is useful because it focuses on runtime behaviour and delegation paths rather than only entitlement lists. The main failure point is environments where tools are composable and agent actions are opaque, because reviewers can certify the label on the identity without seeing the real blast radius.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic risk is dynamic, so periodic reviews miss runtime abuse and chained actions. |
| CSA MAESTRO | MAESTRO focuses on agent workflows and delegation, which reviews often fail to capture. | |
| NIST AI RMF | AI RMF governance requires accountability for autonomous behaviour, not just assigned access. |
Move from certification-only reviews to runtime controls that evaluate agent intent and tool use per task.
