They should define agent-specific identity controls before scaling. That means narrowing tool access, documenting delegated permissions, assigning ownership, and deciding how agent activity will be reviewed or terminated. If those controls are built after rollout, the organisation will inherit a much larger identity surface than it can govern confidently.
Why This Matters for Security Teams
Before AI agents scale, the main risk is not just more logins or more secrets, but more autonomous action with less predictable oversight. That changes identity from a static access list into a live control problem. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point to the same operational issue: organisations need governance before scale, not after an agent estate has already multiplied.
NHIMG research shows why this matters in practice. In the AI Agents: The New Attack Surface report, 80% of organisations said their AI agents had already acted beyond intended scope, while only 44% had any policies in place to govern them. That gap is exactly where expansion becomes dangerous: each new agent can inherit broad tool access, stale permissions, and unclear ownership if controls are improvised later. Security teams often assume existing IAM, PAM, and review workflows will stretch to cover agents, but autonomous behaviour breaks that assumption. In practice, many security teams encounter agent overreach only after sensitive data has already been accessed or disclosed, rather than through intentional control design.
How It Works in Practice
Organisations should treat agent rollout as a design exercise in workload identity, delegated authority, and runtime enforcement. That means defining what each agent is allowed to do, which tools it can call, what data it can touch, and who is accountable for its output. Static, role-based access often fails here because agents do not behave like human users; they act toward goals, chain tools, and change tactics based on context.
A stronger pattern is emerging: issue just-in-time credentials for a specific task, keep them short-lived, and revoke them automatically when the task completes. Where possible, bind the agent to a workload identity rather than a shared secret. Practitioners often look to standards such as SPIFFE-style workload identity and runtime policy engines, because they authenticate what the agent is and evaluate what it may do at request time. That runtime approach aligns with the CSA MAESTRO agentic AI threat modeling framework and the OWASP NHI Top 10, both of which emphasise reducing standing privilege and controlling tool access.
- Document each agent’s delegated permissions before deployment.
- Separate agent ownership from platform ownership, so review and termination are clear.
- Prefer short-lived tokens, not long-lived static secrets, for tool and API access.
- Evaluate policy at runtime using context, not only pre-approved role assignments.
- Log every tool call, data access event, and termination action for auditability.
These controls tend to break down when agents are allowed to share credentials across workflows, because attribution and revocation become ambiguous.
Common Variations and Edge Cases
Tighter agent controls often increase operational overhead, requiring organisations to balance agility against governance depth. That tradeoff is real, especially in environments where teams want to prototype quickly or where multiple agents share the same downstream tools. Current guidance suggests the safest approach is to start with narrow permissions and expand only after use cases are proven and reviewed.
There is no universal standard for agent governance yet, so organisations should expect some inconsistency across vendors and control models. For high-risk use cases, such as access to production systems, customer data, or code deployment pipelines, teams should prefer explicit approval gates and time-bound privileges. For lower-risk internal assistants, lighter controls may be acceptable, but only if access is still traceable and revocable. NHIMG’s reporting on AI agent overreach and secret exposure in The State of Secrets in AppSec shows why static secrets and fragmented management become weak points quickly, especially when agents are added faster than governance can adapt.
In short, the safest expansion pattern is to prove identity, constrain tools, and define accountability first, then scale only when monitoring and termination processes can keep pace.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Addresses agent tool misuse and unsafe autonomy before deployment scale. |
| CSA MAESTRO | GOV-01 | Requires governance, ownership, and control boundaries for agent deployments. |
| NIST AI RMF | Supports AI risk governance, oversight, and lifecycle controls for agents. |
Assign accountable owners and predefine delegated authority before agents reach production.
Related resources from NHI Mgmt Group
- When should organisations treat an AI agent as a privileged system?
- Should organisations prioritise AI agent governance before expanding autonomous workflows?
- What is the difference between human identity governance and AI agent governance?
- When does AI agent access create more risk than it reduces?
