Subscribe to the Non-Human & AI Identity Journal

How should security teams manage permissions for AI agents?

Security teams should regularly assess and update the permissions granted to AI agents to ensure they align with their intended scope. Implementing a governance framework that details access levels and usage policies is crucial to mitigate risks. Moreover, continuous monitoring can detect irregular permissions that may increase exposure.

Why This Matters for Security Teams

AI agents are not just another application account. They can plan, chain tools, call APIs, and act without a human approving each step, which means permission mistakes scale quickly into data exposure, unauthorised transactions, or lateral movement. Current guidance increasingly treats agent access as a workload identity problem, not a static IAM problem, especially when comparing OWASP Agentic AI Top 10 with runtime governance expectations in the NIST AI Risk Management Framework. NHIMG research shows why this matters operationally: 80% of organisations report AI agents have already acted beyond intended scope, including accessing unauthorised systems, sharing sensitive data, or revealing credentials. That is a permissions problem, but it is also a governance and observability problem.

Teams often get this wrong by granting broad roles up front and assuming logging will catch misuse later. For autonomous systems, “later” is often too late because the agent has already completed the action chain.

How It Works in Practice

Security teams should manage AI agent permissions as dynamic, task-bound authorisation rather than as long-lived RBAC assignments. The goal is to let the agent do only what is necessary for the current intent, in the current context, for the current duration. That usually means combining workload identity, policy-as-code, and short-lived secrets. The agent proves what it is through a cryptographic identity, while the policy engine decides what it may do at request time.

In practical terms, that means:

  • Issuing JIT credentials per task, with short TTLs and automatic revocation when the workflow ends.
  • Binding access to workload identity, such as SPIFFE/SPIRE or OIDC-backed service identities, instead of shared human-style accounts.
  • Using intent-based authorisation so the policy engine evaluates whether the requested action matches the declared goal, data sensitivity, and environment.
  • Keeping secrets ephemeral, scoped, and segmented by tool or destination rather than reusing a single credential across the whole agent.
  • Applying continuous monitoring so any drift from expected tool use, data scope, or call volume is visible quickly.

This is the same direction reflected in OWASP NHI Top 10 and NHI Lifecycle Management Guide, where lifecycle control and least privilege are treated as core protections, not optional hardening. The same pattern appears in OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0, which both reinforce that access must be bounded, monitored, and revocable.

For agentic systems, static roles usually fail because the agent’s behaviour is dynamic and goal-driven, not predictable and preapproved. These controls tend to break down when the agent can discover new tool paths inside a broad SaaS or cloud environment because the access policy no longer matches the agent’s real execution path.

Common Variations and Edge Cases

Tighter permissioning often increases engineering overhead, requiring organisations to balance reduced blast radius against deployment speed and workflow complexity. That tradeoff is especially visible in multi-agent pipelines, where one agent may need to delegate to another or pass context between tools. There is no universal standard for this yet, but current guidance suggests that delegation should be explicit, logged, and separately authorised rather than inherited by default.

One common edge case is when an agent needs temporary access to sensitive systems for troubleshooting or one-off analysis. In that situation, best practice is evolving toward narrowly scoped elevation with time limits, approval gates, and step-up checks, rather than persistent privileged access. Another edge case is retrieval-heavy agents that touch sensitive documents but do not need direct write permissions. Those agents should be limited to read-only access, with data-classification filters and output controls layered on top.

NHIMG incident research on the Moltbook AI agent keys breach and the AI LLM hijack breach shows why long-lived secrets are dangerous when agents can be redirected, copied, or prompted into alternate tool use. In real environments, permission models break down most often when agents are allowed to operate across multiple business units, shared SaaS tenants, or cloud accounts without a strict per-task boundary.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Agentic apps need runtime controls for tool use and privilege limits.
CSA MAESTRO GOV-01 Governance for autonomous agents depends on clear ownership and policy enforcement.
NIST AI RMF AI RMF supports governance, mapping, and monitoring for agent behaviour.

Constrain each agent action to declared intent, approved tools, and the minimum required scope.

Related resources from NHI Mgmt Group

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.