AI agents create a bigger problem because they take actions, not just predictions. That introduces runtime accountability, intervention requirements, and traceability for sequences of decisions. If the programme only governs model output, it misses the actual compliance event, which is the agent’s action and the evidence attached to it.
Why This Matters for Security Teams
Static models mainly create a governance question about content quality, bias, and safe use. AI agents create a compliance question about execution: what the system decided to do, what tools it touched, what data it accessed, and whether those actions stayed inside approved boundaries. That shifts the control point from model review to runtime accountability, which is a much harder audit problem. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both points toward lifecycle oversight, not just prompt or model review.
NHI research shows why this matters operationally: the 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect a breach of non-human identities, which is a useful proxy for how fast machine identities become control failures when they are not tightly governed. For agents, that risk expands because the identity is not just present, it is actively acting. In practice, many security teams encounter the compliance gap only after an agent has already accessed a sensitive system or chained tools in an unexpected sequence, rather than through intentional design.
How It Works in Practice
The practical difference is that agents need controls around every task, not just a one-time approval of the underlying model. A compliant agent workflow usually combines workload identity, short-lived credentials, and policy checks at request time. Identity proves what the agent is, while authorisation decides whether the action is acceptable in the current context. That is closer to CSA MAESTRO agentic AI threat modeling framework thinking than traditional application governance.
- Use workload identity for the agent itself, not shared human credentials.
- Issue just-in-time, ephemeral secrets for a single task or bounded session.
- Evaluate policy at runtime with context such as task intent, data sensitivity, and tool scope.
- Log each tool call, external request, approval step, and data retrieval as an auditable event.
This is where standards such as NIST AI Risk Management Framework and Ultimate Guide to NHIs — Regulatory and Audit Perspectives converge: they both push teams toward evidence, traceability, and accountability rather than broad trust. The point is not to eliminate autonomy, but to constrain it with controls that can be inspected after the fact and enforced before each action. These controls tend to break down when an agent operates across many SaaS tools and shadow APIs because the policy boundary becomes fragmented and logs lose end-to-end continuity.
Common Variations and Edge Cases
Tighter runtime control often increases latency and operational overhead, so organisations have to balance fast agent execution against stronger evidence capture. That tradeoff is acceptable for low-risk summarisation, but it becomes much harder for agents that can send emails, modify records, move funds, or trigger downstream workflows. Best practice is evolving here, and there is no universal standard for exactly how much autonomy should be allowed in each class of task.
One edge case is a supervised agent that recommends actions but never executes them. That may look closer to a static model, yet compliance still depends on whether humans can reliably review, reject, and record the final action. Another edge case is delegated access through long-lived service accounts. That pattern remains common, but it weakens accountability because the identity is persistent and the action trail is harder to tie to a specific task. For that reason, the Top 10 NHI Issues and the OWASP Agentic Applications Top 10 both remain relevant as practical guidance. The main exception is tightly bounded offline inference, where the system never acts on external tools or data, because the compliance exposure is materially lower than for autonomous tool-using agents.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent tool use and autonomy create runtime compliance risk. |
| CSA MAESTRO | Focuses on threat modeling and governance for agentic systems. | |
| NIST AI RMF | GOVERN | AI RMF governance covers accountability for autonomous decisions. |
Map each agent workflow to threat scenarios, trust boundaries, and required controls.
