Subscribe to the Non-Human & AI Identity Journal

Why do AI agents increase non-human identity risk in existing IAM programmes?

AI agents increase non-human identity risk because they create more autonomous actors that can hold credentials, access systems, and perform tasks without direct human supervision. Existing IAM programmes often focus on human users first, so agent lifecycle management, privilege review, and behavioural monitoring are frequently missing or incomplete.

Why Traditional IAM Struggles with AI Agents

AI agents change the identity problem because they do not behave like fixed human users. They can chain tools, make decisions at runtime, and request access based on a goal rather than a pre-approved workflow. That breaks static RBAC assumptions and exposes gaps in PAM, JIT, and offboarding if those controls were designed around people, not autonomous workloads.

This matters because the blast radius is already visible in real deployments. NHI Mgmt Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and agentic systems expand that same risk surface by creating more identities that can act independently. Current guidance from NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both point toward runtime governance, not one-time approval, because autonomous behaviour is inherently dynamic.

In practice, many security teams only discover this mismatch after an agent has already accessed something it was not intended to touch.

How It Works in Practice

Effective control starts with treating each agent as a workload identity first and an application second. The agent should authenticate with a cryptographic identity, such as a SPIFFE-style workload identity or an OIDC-backed token, and then receive permissions only for the task it is about to perform. That is the practical difference between static credentials and JIT credentials: the agent gets a short-lived secret, uses it for a bounded objective, and loses it automatically when the task ends.

That model is stronger than assigning broad roles up front because the agent’s intent changes over time. Current best practice is evolving toward intent-based authorisation, where policy is evaluated at request time using context such as task scope, data sensitivity, destination system, and confidence in the action. This aligns with policy-as-code approaches and with the direction of the NIST Cybersecurity Framework 2.0 and MITRE ATLAS adversarial AI threat matrix, which both emphasise adaptive control and adversary-aware monitoring.

  • Issue credentials per task, not per agent lifespan.
  • Keep secrets short-lived and scoped to a single tool or destination.
  • Log each tool call, data access event, and privilege escalation decision.
  • Review agent actions against policy continuously, not only during quarterly access reviews.

NHI Mgmt Group’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which is why agent sprawl quickly becomes an IAM problem, not just an AI problem. These controls tend to break down in environments where agents operate across many SaaS tools and CI/CD systems because authorisation context is fragmented and audit trails are incomplete.

Common Variations and Edge Cases

Tighter agent control often increases operational overhead, so organisations have to balance agility against the cost of review, logging, and policy maintenance. There is no universal standard for exactly how much autonomy an agent should receive, especially in early-stage deployments where product teams want speed and security teams want containment.

One common edge case is delegated action chains, where an agent starts with a harmless request and then uses intermediate tools to reach higher-risk systems. Another is long-running agents that need temporary access across multiple steps; in those cases, JIT issuance still helps, but the revocation model must match the workflow length. The same issue appears when agents share a secrets manager with human workloads, because static secrets can outlive the intended task and be reused outside the original context. For that reason, OWASP NHI Top 10 and Anthropic — first AI-orchestrated cyber espionage campaign report both reinforce the need for runtime boundaries and continuous inspection.

Where guidance is still maturing, the safest approach is to prefer zero standing privilege, short TTL secrets, and explicit human approval for higher-risk tool actions. That is especially important when agents can reach external systems, handle sensitive data, or act on behalf of multiple business functions at once.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Addresses autonomous agent misuse and scope creep in tool use.
CSA MAESTRO Covers agent governance, orchestration, and security controls for autonomous systems.
NIST AI RMF GOVERN AI governance is needed to assign accountability for autonomous agent decisions.

Use MAESTRO to define approval, monitoring, and containment for agent workflows.

Related resources from NHI Mgmt Group

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.