They are built around human lifecycle events such as joiner, mover, and leaver. AI tools can be created outside IT, never enter the HR system, and persist after the pilot ends, so normal certification cycles often miss the orphaned access that matters most.
Why Traditional IAM and IGA Miss AI Governance Gaps
Traditional IAM and IGA are strong at managing known identities with known lifecycle events, but AI tools and agents do not reliably follow that model. They are often created by product teams, analysts, or developers outside the HR process, then connected to cloud services, data stores, and APIs long before security sees them. That means access can exist without a clean owner, a formal role, or a scheduled review.
The gap is not just inventory. AI systems can be goal-driven, dynamic, and capable of chaining tools in ways that do not map neatly to RBAC or quarterly certification. Current guidance suggests that governance has to shift from checking whether a person still needs access to checking whether an autonomous workload still needs the authority to act. NIST frames this broader problem in the NIST AI Risk Management Framework, while NHIMG’s lifecycle view in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows why discovery, ownership, and retirement must be treated as first-class controls.
In practice, many security teams encounter orphaned AI access only after a model, bot, or agent has already touched production data, rather than through intentional governance.
How It Works in Practice
Effective AI governance starts with treating the workload itself as the identity, then wrapping that workload in policy that can be evaluated at runtime. For autonomous systems, static role assignment is usually too coarse. A better pattern is workload identity plus just-in-time authorization: the agent proves what it is, requests a specific action, receives a short-lived secret or token, completes the task, and loses that privilege automatically.
That approach aligns with zero standing privilege, but the important distinction is behavioural. The agent is not a human proxy, so entitlement review has to focus on intent, tool access, and blast radius rather than job title. NIST’s NIST AI Risk Management Framework supports this shift toward governed outcomes, and the NIST Cybersecurity Framework 2.0 reinforces asset visibility, access control, and continuous monitoring.
- Use workload identity for the agent, not a shared service account.
- Issue short-lived credentials per task, not long-lived static secrets.
- Evaluate access at request time with policy-as-code, not only at provisioning time.
- Log the agent’s intent, the action approved, and the data or tool reached.
- Revoke access automatically when the task completes or the context changes.
NHIMG research on the DeepSeek breach and the Azure Key Vault privilege escalation exposure shows why static credentials remain a high-value failure point. In fact, NHIMG cites that 67% of organisations still rely heavily on static credentials, and that should be read as a governance warning, not just a hygiene issue. These controls tend to break down when agents share credentials across environments because attribution and revocation become ambiguous.
Common Variations and Edge Cases
Tighter authorization often increases operational overhead, requiring organisations to balance security benefit against developer velocity and agent reliability. That tradeoff is real, especially in environments where agents run many small actions per minute or where tooling changes frequently. Best practice is evolving, and there is no universal standard for exactly how granular intent-based authorisation should be yet.
Some teams start with coarse task-level tokens, then move toward finer per-tool or per-resource decisions as they gain telemetry. Others use a hybrid model: RBAC for stable baseline permissions, JIT for elevated actions, and runtime policy for anything that can modify infrastructure, move data, or trigger payments. The Top 10 NHI Issues is useful here because it captures recurring failure patterns such as unmanaged secrets, weak ownership, and over-privileged automation.
Edge cases also matter. Multi-agent pipelines can pass authority from one agent to another, which makes simple certification useless unless the transfer of trust is explicit. Human approvals can help for high-risk changes, but they do not scale to every call. For regulatory and audit teams, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is the right lens for proving ownership, scope, and revocation. NHIMG also notes that exposed AWS credentials can be targeted within 17 minutes on average, which is why agent secrets need much shorter TTLs than human credentials. The control model breaks down when autonomous systems can self-provision tools faster than reviewers can approve or revoke them.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Directly addresses agentic AI behavior, tool use, and runtime authorization gaps. | |
| CSA MAESTRO | Covers agentic workflows, autonomy boundaries, and control-plane governance. | |
| NIST AI RMF | Frames governance, mapping, measurement, and management for AI risk. |
Define agent autonomy levels and require policy checks before actions that cross trust boundaries.
