Subscribe to the Non-Human & AI Identity Journal

On-Behalf-Of Agent

An AI agent that acts using a human user’s delegated permissions, usually through OAuth tokens or similar credentials. The user remains the nominal identity owner, but the agent can explore and use available access more aggressively than the person might, creating a lifecycle and audit challenge.

Expanded Definition

An on-behalf-of agent is an autonomous software entity that operates with delegated user authority, typically via OAuth tokens, scoped API grants, or comparable credentials. It is distinct from a service account because the agent is not merely a fixed system identity; it inherits human intent, but can chain actions, search broadly, and persist longer than the user session that initiated it.

Definitions vary across vendors on how much autonomy qualifies as “on-behalf-of,” but the security issue is consistent: the agent can execute within a human’s access boundary while creating a separate operational footprint. That makes authorization, revocation, auditability, and intent tracking harder than with classic delegated access. Guidance in the OWASP Top 10 for Agentic Applications 2026 and the NIST AI Risk Management Framework both point toward stronger control over action scope, traceability, and human accountability.

The most common misapplication is treating an on-behalf-of agent as a normal delegated login session, which occurs when token issuance, refresh, and downstream API use are not separately constrained or logged.

Examples and Use Cases

Implementing on-behalf-of agents rigorously often introduces tighter permission design and more complex audit flows, requiring organisations to weigh user convenience against containment and traceability.

  • A customer-support agent drafts replies, but only within the customer record and ticketing scopes approved for the signed-in representative.
  • A developer assistant uses a human’s delegated access to open repositories, inspect logs, and create pull requests, but cannot alter billing or production secrets.
  • An executive workflow agent reads calendar and email data on behalf of the user, yet every outbound action is tagged to the initiating person and the exact token chain used.
  • In the incident pattern described in Moltbook AI agent keys breach, the lesson was not just credential exposure but the speed at which delegated access can be reused once an agent is trusted.
  • Model-risk teams map this pattern against the OWASP Agentic AI Top 10 to decide where human approval must interrupt autonomous action.

For a broader NHI lifecycle view, Ultimate Guide to NHIs is useful for framing lifecycle and offboarding concerns that also apply to delegated agents.

Why It Matters in NHI Security

On-behalf-of agents matter because they combine human authority with machine speed, which can amplify blast radius when permissions are overbroad or revocation is slow. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities, a reminder that delegated automation becomes a direct breach path when secrets or tokens are exposed.

This pattern also complicates Zero Trust enforcement. If a token grants broad access, the agent can traverse systems far beyond what the user intended, and the resulting activity may look legitimate until after data has been moved or actions have been committed. The control problem is not only authentication, but also session scope, downstream authorization, and timely revocation. That is why lifecycle controls, token binding, and action-level logging are essential rather than optional.

Organisations typically encounter the consequence only after a delegated workflow is abused, at which point on-behalf-of agent governance becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Delegated agents inherit and expose secret lifecycle risk under NHI secret management guidance.
OWASP Agentic AI Top 10 A1 Agentic applications must constrain autonomous action and human delegation boundaries.
NIST Zero Trust (SP 800-207) SP 4 Zero Trust requires continuous verification of every delegated request and session.

Limit token scope, store credentials safely, and revoke on-behalf-of access when the user or workflow ends.