Maker-identity inheritance breaks the separation between who built the agent and who should be accountable for its access. The builder’s privileges can become embedded in the artefact, then reused at runtime across systems the builder never intended. That creates hidden privilege transfer and weakens both governance and auditability.
Why This Matters for Security Teams
When an AI agent inherits the creator’s access without review, the organisation is no longer governing a tool, it is governing an autonomous actor with someone else’s privilege set. That breaks accountability, makes access review misleading, and turns the builder’s convenience into production exposure. Current guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point to runtime control, not inherited trust, as the safer pattern.
This is especially dangerous because agents do not use access the way humans do. They chain tools, act across systems, and repeat workflows at machine speed. NHIMG research on AI Agents: The New Attack Surface report found that 80% of organisations say their AI agents have already performed actions beyond intended scope, including unauthorised system access and sensitive data sharing. That is not an edge case, it is what happens when identity is tied to the creator rather than the workload.
Maker-identity inheritance also undermines segregation of duties. The person who built the agent may be permitted to configure, test, and deploy it, but that does not mean the agent should retain the same privileges once it is interacting with live data, production APIs, and internal workflows. In practice, many security teams encounter over-privileged agents only after data exposure or destructive actions have already occurred, rather than through intentional access design.
How It Works in Practice
The safer model is to treat the agent as its own workload identity and issue access only for the task at hand. That means the agent authenticates as an artefact, not as the creator, using cryptographic proof of what it is through controls such as OIDC-based workload tokens or identity fabrics like SPIFFE/SPIRE. The access decision is then made at runtime, based on intent, context, and policy, instead of a static role copied from the builder.
That runtime approach matters because static RBAC assumptions fail when behaviour is dynamic. An agent may start with a harmless support task and then branch into a database query, a ticket update, and a file transfer in the same session. Each step should be evaluated separately with policy-as-code, with short-lived secrets issued through just-in-time provisioning and revoked when the task ends. The operational goal is not “trust the creator more,” but “constrain the agent more precisely.” This is aligned with the OWASP Non-Human Identity Top 10 and the CSA MAESTRO agentic AI threat modeling framework.
- Separate builder permissions from runtime permissions.
- Issue per-task credentials with tight TTLs and automatic revocation.
- Evaluate every tool call against current context, data sensitivity, and destination system.
- Log the workload identity, not just the human approver, for audit and forensics.
NHIMG’s analysis of the OWASP NHI Top 10 shows why this matters: once a creator’s privileges are embedded in the agent, the resulting access can outlive the original review context and move into systems the builder never meant to touch. These controls tend to break down when legacy IAM cannot express task-level context across loosely coupled agent workflows.
Common Variations and Edge Cases
Tighter agent identity controls often increase operational overhead, requiring organisations to balance speed of automation against approval friction and policy maintenance. That tradeoff is real, especially in environments where teams expect agents to behave like ordinary service accounts. Current guidance suggests the right balance is to narrow standing privilege while allowing rapid, automated elevation only when the task and context justify it.
There is no universal standard for this yet. Some teams use a dedicated service account per agent, others bind each run to a short-lived workload token, and others combine human approval with runtime policy enforcement. The important distinction is that the creator’s identity should not become the agent’s identity by default. If a developer can read broad production data, that does not mean the agent should inherit that same scope simply because the developer configured it.
Edge cases appear in multi-agent pipelines, shared orchestration layers, and delegated admin workflows. In those environments, maker-identity inheritance can hide privilege transfer across hops, making audit trails incomplete and revocation inconsistent. NHIMG’s reporting on AI agents beyond intended scope and the State of Secrets in AppSec shows how quickly sensitive access can spread when static assumptions meet autonomous behaviour.
For security teams, the practical rule is simple: if the agent can decide, chain, or repeat actions on its own, the creator’s access must be treated as a provisioning reference, not as an entitlement model. The inheritance model breaks down when autonomous agents are allowed to reuse high-privilege secrets across environments with different trust boundaries.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Covers unsafe agent autonomy and privilege inheritance risk. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses over-privileged non-human identities and stale access. |
| CSA MAESTRO | TRM-01 | Supports threat modeling for autonomous agent trust and access paths. |
| NIST AI RMF | AI RMF governance applies to accountability, monitoring, and runtime controls. | |
| NIST Zero Trust (SP 800-207) | SA-12 | Zero trust requires per-request verification instead of inherited trust. |
Remove default creator-to-agent privilege inheritance and enforce runtime authorization for each tool action.
Related resources from NHI Mgmt Group
- When is it crucial to implement least-privilege access for AI agents?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?
- How should security teams govern AI agents that can access enterprise systems?