Banks should treat agent identity as a governed lifecycle, not a one-time appointment. That means formal onboarding, scoped permissions, periodic review, and rapid revocation when a relationship changes. The same control discipline used for privileged access should apply to agents who can enrol customers or process transactions, because their operational reach creates real identity and fraud risk.
Why This Matters for Security Teams
Branch-light operating models depend on digital agents to handle onboarding, servicing, and transaction support with less human intervention. That makes agent identity a trust and control problem, not just an automation convenience. If an agent can enrol a customer, trigger an exception, or reach core systems, its identity needs clear ownership, scoped authority, and an auditable lifecycle. Current guidance from the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 points in the same direction: governance must cover both model behavior and the permissions wrapped around it.
Banks often get this wrong by treating an agent like a project artifact or a chatbot, then discovering too late that it has access to customer data, payment rails, or approval workflows. That creates exposure across fraud, privacy, conduct risk, and operational resilience. The issue is not only malicious misuse. It also includes stale entitlements, unclear accountability, and overbroad delegation when the agent is repurposed across teams or channels. In practice, many security teams encounter agent abuse only after an exception path, misrouted approval, or account takeover has already occurred, rather than through intentional governance.
How It Works in Practice
Agent identity governance in a branch-light model should mirror privileged access management, but with AI-specific controls added. Each agent should have an explicit business owner, a defined purpose, a risk rating, and a bounded set of actions it may perform. That identity should be registered in an inventory, linked to the underlying model or service account, and reviewed on a schedule that matches the materiality of the task. Banks should also separate read, recommend, and execute permissions so that an agent can assist without being able to complete high-risk actions by default.
A practical operating model usually includes:
- Formal onboarding with approval from business, security, and risk owners.
- Least-privilege access to customer records, case systems, and payment functions.
- Step-up controls for sensitive actions, especially where identity proofing or fund movement is involved.
- Logging that captures prompts, tool calls, approvals, and downstream system effects.
- Periodic recertification and immediate revocation when the use case, model, or vendor relationship changes.
For agentic systems, control evidence should also cover prompt injection resilience, tool authorization, output validation, and provenance checks. The MITRE ATLAS adversarial AI threat matrix is useful for mapping abuse paths such as indirect prompt injection and data exfiltration through tools. Where banks use external orchestration or shared services, the CSA MAESTRO agentic AI threat modeling framework helps structure boundaries between the agent, the model, and the tools it can invoke. These controls tend to break down when agents are allowed to self-route across multiple customer journeys because identity boundaries become too diffuse to audit cleanly.
Common Variations and Edge Cases
Tighter agent identity controls often increase operational overhead, requiring organisations to balance faster service delivery against stronger approval and review discipline. That tradeoff matters in branch-light environments because some agents are designed to reduce friction at the exact point where banks still need human accountability.
There is no universal standard for this yet, so current guidance suggests banks should classify agents by function and risk, then apply different control tiers. A low-risk service agent may only draft messages or summarize records, while a higher-risk agent may prepare identity proofing steps but still require human approval before execution. The same pattern applies when an agent spans multiple products or legal entities, where ownership and segregation of duties must be explicit.
Edge cases arise when a bank uses a vendor-hosted agent, a shared internal agent, or a hybrid agent that can act through multiple toolchains. In those cases, identity governance has to extend beyond the model runtime to include API keys, service accounts, workload identities, and fallback paths. The NIST Cybersecurity Framework 2.0 is helpful for aligning those controls to broader governance, detection, and response outcomes. Banks should also watch for rapid model updates, because a safe agent can become unsafe when tool scope, prompts, or retrieval sources change without re-approval.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, MITRE ATLAS and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | AI governance is needed to assign accountability and manage agent risk. | |
| OWASP Agentic AI Top 10 | Agentic systems face tool misuse, prompt injection, and over-permissioning risks. | |
| MITRE ATLAS | T0001 | Agent abuse paths map to adversarial AI tactics like injection and exfiltration. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to governing what agents can do. |
| CSA MAESTRO | MAESTRO helps model trust boundaries between agent, model, and tools. |
Model threat scenarios with ATLAS and test controls against realistic adversarial agent behavior.
Related resources from NHI Mgmt Group
- How should security teams govern Active Directory service accounts?
- How should security teams govern access changes across hybrid identity environments?
- Why do identity-centric access models matter when lateral movement is the main risk?
- Why do identity-based attacks weaken traditional segmentation models?