Recommendation means the agent can analyse data and propose an action, but a human or workflow engine still approves the change. Execution means the agent can directly change identity state, such as access, certification, or lifecycle records. Execution requires stricter policy, narrower scope, and stronger rollback design because it affects production identity state immediately.
Why This Matters for Security Teams
Agent recommendation and agent execution are not just different approval states. They define two very different risk models for IAM. Recommendation keeps the agent in an advisory role, which is easier to review, log, and override. Execution lets the agent alter identity state directly, so mistakes or malicious prompt injection can become production changes before anyone intervenes. That is why execution needs narrower scope, stronger policy, and rollback design.
This distinction matters because identity systems are often treated as if every workflow were human-paced and linear. Autonomous agents do not behave that way. Once an agent can read entitlements, chain tools, and trigger downstream changes, the control plane itself becomes part of the attack surface. NHIMG’s 2024 Non-Human Identity Security Report shows only 19.6% of security professionals are strongly confident in their organisation’s ability to securely manage non-human workload identities, which is a warning sign for teams contemplating execution privileges.
For agentic environments, current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point toward tighter governance when software can make consequential decisions. In practice, many security teams encounter over-permissioned agent execution only after an access review, certification update, or lifecycle change has already been written into identity state.
How It Works in Practice
Recommendation is the safer default because the agent can analyse context and generate a proposed action without touching production identity records. That can include flagging stale access, identifying privilege creep, or suggesting offboarding steps. Execution goes further: the agent is allowed to call the IAM system, directory, PAM platform, or workflow engine and commit the change itself. The difference is not semantic. It is operational, auditable, and reversible only if the system is designed for it.
In mature implementations, the separation is enforced with policy boundaries rather than trust in the model. A recommendation-only agent may have read access to identity data and write access to a ticket or queue. An execution-capable agent should be constrained by:
- task-specific scope, not broad standing access
- short-lived credentials, not reusable static secrets
- runtime policy checks, not only pre-approved role mappings
- transaction logging and rollback hooks for every state change
- human approval gates for high-impact identity actions
This is where workload identity becomes important. The control problem is not simply “who approved the agent,” but “what exactly is this autonomous workload allowed to do right now.” That is why standards such as CSA MAESTRO agentic AI threat modeling framework and NIST AI governance guidance increasingly align with context-aware authorisation, runtime policy, and ephemeral credentials rather than static RBAC alone. NHIMG’s Ultimate Guide to NHIs — What are Non-Human Identities is clear that NHI lifecycle failures are common, which makes direct execution particularly sensitive.
These controls tend to break down in legacy IAM environments where changes are batch-driven, rollback is manual, and identity records are tightly coupled to downstream HR or directory sync processes.
Common Variations and Edge Cases
Tighter execution control often increases operational friction, so organisations must balance speed against the blast radius of a bad agent action. That tradeoff is real, especially when teams want agentic automation to reduce queue backlogs or accelerate access remediation.
There is no universal standard for this yet, but current guidance suggests a few common patterns. Some organisations allow recommendation for routine hygiene tasks and reserve execution for low-risk, reversible changes such as disabling dormant accounts. Others permit execution only inside a bounded workflow where the agent cannot choose the target, only complete a predefined step. A third pattern uses execution in lower environments first, then promotes the same policy to production once rollback and review controls are proven.
The edge cases are usually where IAM meets exceptions: emergency access, break-glass accounts, cross-tenant administration, or identity changes that trigger compliance reporting. In those cases, even a well-governed agent can cause trouble if the workflow assumes human judgment where none exists. The NHIMG research on the AI LLM hijack breach and the Moltbook AI agent keys breach both reinforce the same lesson: once an autonomous system can act, secrets hygiene, scope limitation, and recovery planning matter as much as model quality.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agent execution raises prompt and tool abuse risk in agentic workflows. |
| CSA MAESTRO | MAESTRO models trust boundaries and runtime controls for agentic systems. | |
| NIST AI RMF | GOVERN | The question is about governance over consequential AI-enabled identity actions. |
Define execution boundaries, approval gates, and rollback paths for autonomous identity actions.
Related resources from NHI Mgmt Group
- What is the difference between human identity governance and AI agent governance?
- What is the difference between governing human access and governing AI agent access?
- What is the difference between managed identities and hardcoded secrets for AI agents?
- What is the difference between workload identity and API keys for AI agents?