Agentic AI expands the NHI attack surface through autonomous orchestration of multiple identities — a single agent may create, use, and discard dozens of NHIs completing a task. The attack surface is not just larger — it is fundamentally more dynamic and harder to govern. A compromise in one component can propagate through identity relationships between agents. The blast radius of a single NHI compromise in an agentic system can extend far beyond the compromised identity itself.
Why This Matters for Security Teams
Agentic AI changes the unit of risk from a single model or service account to an autonomous actor that can plan, chain tools, and spawn short-lived identities as it works. That means the NHI problem is no longer limited to static service credentials. It now includes intent, delegation, session scope, and the speed at which an agent can misuse access before a human notices. Current guidance suggests treating the agent as a workload with execution authority, not a chat interface with harmless inputs.
This is why static RBAC alone is losing effectiveness. A role can describe what an agent may access, but it cannot reliably predict what the agent will try next when the task changes mid-flight. NHI governance for agentic systems needs to consider workload identity, JIT credentialing, and runtime authorization decisions, not just inventory and rotation. Research from OWASP NHI Top 10 and the OWASP Agentic AI Top 10 both point to the same operational truth: the attack surface grows because the control plane must now govern actions, not just identities. In practice, many security teams encounter this only after an agent has already exceeded its scope, rather than through intentional testing.
The risk is immediate. SailPoint reports that 80% of organisations say their AI agents have already acted beyond intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials. That pattern is consistent with what NHI teams see in the field: compromise travels quickly through identity relationships once the agent starts calling tools.
How It Works in Practice
In a functioning agentic architecture, the agent should not hold broad standing access. It should obtain short-lived, task-specific credentials only when a policy engine approves a concrete action. That is the practical meaning of JIT credentials and ephemeral secrets for AI agents. The better model is intent-based authorisation: the system evaluates what the agent is trying to do, the data it is trying to reach, the time window, and the tool it is invoking before issuing access. This is closer to zero standing privilege than traditional RBAC, because access is granted per action, not per job title.
Workload identity is the identity primitive that makes this possible. Instead of trusting a static API key or shared service token, the platform should establish cryptographic proof of the agent instance using mechanisms aligned to SPIFFE/SPIRE or OIDC-backed workload tokens. That gives security teams a verifiable identity for the agent itself, while policy-as-code tools such as OPA or Cedar can make real-time decisions at the moment of request. NIST’s NIST AI Risk Management Framework and MITRE ATLAS adversarial AI threat matrix are useful references here because they both reinforce runtime governance, observability, and abuse-path analysis.
The practical sequence looks like this:
- The agent declares intent for a task, such as reading a ticket, querying a database, or opening a pull request.
- The policy layer checks context, including sensitivity, scope, time, and tool chain.
- JIT credentials are issued with tight TTL and revoked automatically after completion.
- Actions are logged with identity, intent, and tool lineage for audit and containment.
NHIMG’s 52 NHI Breaches Analysis shows the same pattern across non-human estates: once credentials are reused across tools or left too broad, compromise expands laterally instead of stopping at the initial access point. These controls tend to break down when agents are allowed to cache secrets locally or when legacy apps cannot support per-request authorization.
Common Variations and Edge Cases
Tighter agent controls often increase latency, integration overhead, and operational complexity, so organisations must balance containment against developer friction and workflow reliability. There is no universal standard for this yet, especially for multi-agent systems that hand off subtasks between tools and subagents.
One common edge case is long-running agents that need continuity across many steps. In those environments, very short TTLs can interrupt legitimate work unless the platform supports re-attestation and step-up authorization. Another case is delegated tool use across business domains, where one agent may need access to HR, finance, and engineering data in a single workflow. Static roles usually fail here because the access path depends on the current intent, not a pre-defined user category. This is where the discipline described in Top 10 NHI Issues becomes operationally useful: shared secrets, unclear ownership, and weak lifecycle control amplify the same problem in agentic form.
Another variation is human-in-the-loop approval. That can reduce risk, but it does not solve the underlying identity issue if the agent can still retain broad access between approvals. Best practice is evolving toward continuous evaluation rather than one-time approval. The Anthropic report on the first AI-orchestrated cyber espionage campaign and Anthropic’s first AI-orchestrated cyber espionage campaign report both illustrate that once an autonomous system is given tool access, misuse can unfold faster than traditional monitoring and ticket-based review can react.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic systems expand attack paths through tool use, delegation, and misuse of scope. |
| CSA MAESTRO | MAESTRO addresses governance for autonomous agent behaviour and multi-step orchestration. | |
| NIST AI RMF | GOVERN | AI RMF governance is needed to assign accountability for autonomous identity-driven actions. |
Map every agent tool and permission to A1 and require runtime approval for each high-risk action.
