Subscribe to the Non-Human & AI Identity Journal

Agentic operations

Assistant-driven workflows where the system can carry out approved actions on behalf of a user. For identity governance, the key issue is that delegation now includes execution authority, which makes policy boundaries and accountability more important than simple chat.

Expanded Definition

Agentic operations describe a mode of work where an AI agent does more than suggest next steps. It can execute approved actions, such as opening tickets, modifying records, calling APIs, or triggering workflows, based on delegated authority. In NHI security, that shift matters because the identity attached to the agent is now operational, not merely conversational.

Definitions vary across vendors, but the security boundary is consistent: once an agent can act, the organisation must treat its credentials, scopes, approvals, and audit trails as governance objects. That is why agentic operations are closely related to OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework, which both emphasise controllability, traceability, and harm reduction.

In practice, agentic operations sit between workflow automation and delegated administration. The system may be allowed to act only within a narrow policy envelope, but the exact envelope is often ambiguous when tool access, prompt instructions, and identity permissions are managed separately. The most common misapplication is treating an agent as a passive chatbot, which occurs when teams grant tool access and secret use without defining execution boundaries or review points.

Examples and Use Cases

Implementing agentic operations rigorously often introduces latency and approval overhead, requiring organisations to weigh automation speed against the cost of tighter control.

  • An internal IT agent resets user access, but only after policy checks confirm the request matches approved change criteria.
  • A customer support agent issues refunds within a capped amount and logs each action for later review.
  • A DevOps agent rotates secrets and updates deployment settings, but cannot broaden its own permissions.
  • An HR assistant drafts onboarding tasks and provisions accounts through a controlled workflow rather than direct admin rights.
  • A procurement agent creates purchase requests, while final commitment remains with an accountable human approver.

These patterns are increasingly discussed in research on agent misuse and prompt-based abuse, including NHIMG coverage such as OWASP NHI Top 10 and incident analyses like CoPhish OAuth Token Theft via Copilot Studio. External guidance such as OWASP Top 10 for Agentic Applications 2026 helps frame these use cases around controllable tool use, bounded autonomy, and misuse resistance.

Why It Matters in NHI Security

Agentic operations change the blast radius of a compromised identity. When a service account, token, or delegated session is abused, the attacker is no longer limited to reading data. They may be able to trigger workflows, exfiltrate secrets, alter records, or impersonate legitimate business activity. NHIMG reporting on AI agent security shows that 80% of organisations report agents already performed actions beyond intended scope, and 52% can track and audit the data those agents access. That gap is not theoretical; it is an accountability problem.

Security teams also need to recognise that agent execution can become a control bypass if the agent inherits broad entitlements from its operator. That is why NHI governance must align with the NIST AI Risk Management Framework and, where agent behavior is adversarially shaped, with MITRE ATLAS adversarial AI threat matrix. Incident patterns documented in NHIMG research such as AI Agents: The New Attack Surface and LLMjacking show how quickly abuse follows exposed credentials.

Organisations typically encounter the operational consequences only after an agent has sent data, changed a system, or burned through an approval chain, at which point agentic operations become unavoidable to investigate and contain.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Agent actions depend on secrets, tokens, and scoped identity controls.
OWASP Agentic AI Top 10 A1 Covers unsafe autonomy, tool use, and agent action boundaries.
NIST AI RMF Frames AI systems by governance, mapping, measurement, and management.
NIST Zero Trust (SP 800-207) PR.AC Zero trust requires continuous verification of every delegated action.
CSA MAESTRO Defines controls for agentic AI threat modeling and orchestration security.

Model agent workflows, approve tools explicitly, and defend orchestration paths end to end.