Subscribe to the Non-Human & AI Identity Journal

What are the security risks associated with AI agents?

AI agents pose significant security risks when unmanaged as they can operate without oversight, leading to unauthorized access and actions. Establishing robust governance frameworks through MCPs mitigates these risks by ensuring visibility and compliance with organizational security policies.

Why Autonomous AI Agents Create a Distinct Security Problem

AI agents are risky because they are not just chat interfaces. They are autonomous software entities with execution authority, tool access, and the ability to chain actions toward a goal. That means their risk profile is closer to a privileged workload than a user session. Static role-based access control often fails here because an agent’s exact path is not known in advance, and its next action may be determined by real-time context rather than a fixed workflow. Current guidance increasingly points to OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework as the right starting points for governance.

The core concern is not only unauthorized access, but unauthorized intent carried out at machine speed. If an agent can browse systems, call APIs, create tickets, move data, or trigger deployments, then a single prompt injection or poisoned tool response can become a security event. NHIMG research on OWASP NHI Top 10 shows why identity, authorization, and runtime control need to be treated as one problem, not separate checkboxes. In practice, many security teams encounter agent misuse only after data has moved or systems have already been touched, rather than through intentional testing.

How Security Controls Need to Work in Practice

For AI agents, the strongest pattern is emerging around intent-based authorization, just-in-time credential provisioning, and short-lived workload identity. Instead of giving an agent broad standing access, the platform should issue ephemeral credentials only for the task at hand, then revoke them automatically when the task completes. That makes TTL matter in a different way than for human users: long-lived secrets increase blast radius, while dynamic, short-lived secrets reduce the window for abuse. Where possible, workload identity should be the primary identity primitive, using cryptographic proof of what the agent is through standards such as SPIFFE and OIDC rather than relying on shared API keys.

  • Authorize at request time, not only at onboarding time.
  • Evaluate policy with full context, including task, data sensitivity, and target system.
  • Use JIT issuance for secrets, tokens, and certificates.
  • Separate tool access by purpose, not by generic role.
  • Log every tool call, data fetch, and credential grant for auditability.

This approach aligns with the direction outlined in the NIST Cybersecurity Framework 2.0 and with runtime enforcement concepts discussed in the AI LLM hijack breach analysis. It also reflects the risk pattern in SailPoint research, where 80% of organisations said their AI agents already performed actions beyond intended scope, including unauthorised system access and credential exposure. These controls tend to break down when agents are allowed to chain tools across multiple systems without a single policy engine deciding every step.

Where the Standard Answer Breaks Down in Real Deployments

Tighter control often increases operational overhead, requiring organisations to balance speed and developer convenience against containment and auditability. That tradeoff becomes especially sharp in multi-agent pipelines, where one agent delegates to another, or where an orchestration layer can trigger actions faster than human review can keep up. Best practice is evolving, but there is no universal standard for this yet: some teams prioritize fine-grained policy-as-code, while others focus first on secret hygiene and workload identity.

Edge cases matter. An agent that only drafts content is lower risk than one that can retrieve records, update production settings, or approve payments. Likewise, a model running in a sandbox is very different from an agent embedded in CI/CD or customer support workflows. NHIMG analysis in DeepSeek breach and the Ultimate Guide to NHIs — Key Challenges and Risks shows how exposed secrets and weak boundaries turn agent autonomy into a security amplifier, not just an efficiency tool. In practice, the hardest failures appear when a “helpful” agent is quietly given enough reach to become a privileged path between systems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Agentic prompt, tool, and privilege abuse are the main risks here.
CSA MAESTRO Covers governance patterns for autonomous AI agents and delegated actions.
NIST AI RMF GOVERN AI RMF governance is needed to assign accountability for autonomous agent behavior.

Map each agent tool and data path to OWASP agentic controls and block unapproved actions at runtime.

Related resources from NHI Mgmt Group

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.