Subscribe to the Non-Human & AI Identity Journal

What breaks when AI agents are never deprovisioned?

When agents are never deprovisioned, they become zombie identities that continue to consume resources and preserve access long after their business purpose ends. That creates audit gaps, entitlement drift, and unnecessary exposure. The failure is not only operational waste. It is the loss of a clear end state for non-human access.

Why This Matters for Security Teams

When AI agents are never deprovisioned, the problem is not just stale access. It is the creation of identities that outlive the business task they were built for. That breaks least privilege, complicates audit evidence, and leaves security teams unable to prove when access should have ended. Current guidance on agentic systems increasingly treats lifecycle control as a core control plane issue, not an administrative cleanup task.

NHIMG’s lifecycle guidance for NHIs emphasises that an identity without a defined retirement path becomes an unmanaged exposure surface, especially when secrets, tokens, and service permissions remain valid after the original use case ends. This is why deprovisioning belongs in the same conversation as provisioning. The NHI Lifecycle Management Guide and the Top 10 NHI Issues both point to the same operational failure: identities accumulate faster than teams can retire them. In practice, many security teams discover this only after an agent has kept working long after its owner assumed it was gone.

The risk is amplified in agentic environments because autonomous systems can keep invoking tools, retaining tokens, and chaining requests without the visible markers that human accounts usually leave behind. The OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both reinforce that identity lifecycle, accountability, and runtime oversight must be designed together.

How It Works in Practice

In operational terms, deprovisioning is the point where an agent loses its ability to act, not just the point where a ticket closes. For autonomous workloads, that usually means revoking workload identity, expiring session credentials, removing tool scopes, and terminating any long-lived API keys or certificates tied to the agent. The right model is closer to just-in-time access than to static role assignment, because agents do not behave like people with predictable schedules or narrow job descriptions.

Practitioners are increasingly using workload identity as the primary primitive, with short-lived tokens issued per task and automatically revoked when the task completes. That approach aligns with runtime policy evaluation rather than static grants. Standards and guidance such as NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework both support the idea that control decisions should be tied to current context, not a permanent entitlement.

That matters because static IAM assumptions fail quickly once an agent can chain tools, call other agents, or retry tasks after a failure. The same identity may be used for testing, production, data retrieval, and downstream orchestration unless lifecycle rules are enforced at the platform layer. When the identity is not retired, the blast radius keeps growing even if the original workflow is abandoned. NHIMG’s OWASP NHI Top 10 research also highlights why credential persistence and weak lifecycle controls are recurring causes of exposure. These controls tend to break down in multi-agent pipelines that reuse shared service accounts across multiple deployment environments because ownership and task boundaries become indistinct.

Common Variations and Edge Cases

Tighter deprovisioning often increases operational overhead, requiring organisations to balance faster shutdowns against workflow continuity and forensic retention. That tradeoff is real, especially when agents support long-running jobs, scheduled automations, or human-in-the-loop escalation paths.

There is no universal standard for this yet, but current guidance suggests separating the retirement of the identity from the retention of audit evidence. In practice, that means killing access quickly while preserving logs, task metadata, and approval history for review. It also means treating orphaned agents as a policy failure, not just a hygiene issue. The Ultimate Guide to NHIs – 2025 Outlook and Predictions and NIST AI Risk Management Framework both support governance models that assign clear ownership for the full lifecycle, including end-of-life.

One useful operational rule is to require every agent to have a named owner, an expiration condition, and an automated revocation path before it is allowed into production. Another is to review dormant agents on the same cadence as privileged human accounts, because inactivity does not mean harmlessness. Organisations with shared credentials, weak asset inventory, or unmanaged shadow automation will struggle most, because no one can prove which agents are still meant to exist.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Lifecycle control includes timely revocation and retirement of NHI access.
OWASP Agentic AI Top 10 A1 Agentic systems need controls for persistent identities and unsafe autonomy.
CSA MAESTRO GOV-02 MAESTRO stresses governance over agent lifecycle, ownership, and retirement.
NIST AI RMF AI RMF governance covers accountability and lifecycle risk for autonomous systems.

Document agent ownership, monitoring, and decommissioning in governance controls.