TL;DR: Agents are moving from pilots to production, but IAM models built for human sessions cannot reliably govern continuous tool use, delegated actions, and runtime decision paths, according to Cerbos' EIC 2026 analysis. The real control question is no longer inventorying agents first, but deciding what actions they may take at the point where money, data, or production state can move.
At a glance
What this is: This analysis argues that AI agents change IAM from identity-first control to authorization-at-the-vault, because continuous runtime actions outgrow human-shaped access models.
Why it matters: It matters because IAM, PAM, and governance teams must decide where policy evaluation happens for agents, how delegation is preserved, and what evidence proves each action was authorised.
👉 Read Cerbos' analysis of AI agent authorization and runtime policy
Context
AI agent authorization is the problem of deciding whether a runtime action should happen, not just whether the agent is known. Human-shaped IAM assumes a person authenticates, receives a session, and then acts within a stable review cycle. Agents break that model because they can fan out across tools, data systems, and delegation paths while a task is still in motion.
That shift matters for NHI governance because identity alone does not answer the operational question that now sits at the centre of control: who or what is allowed to invoke a tool, move data, or trigger a workflow at that exact moment. For teams mapping the broader NHI baseline, the Ultimate Guide to NHIs remains the clearest reference point for lifecycle, visibility, and revocation patterns.
Key questions
Q: How should security teams govern AI agent actions at runtime?
A: Security teams should evaluate each consequential action at the point of execution, not only at authentication or provisioning time. That means policy must consider the current task, delegated authority, resource sensitivity, and session state before the action is allowed. Runtime governance is the only practical way to keep pace with agents that can change paths mid-workflow.
Q: Why do AI agents complicate traditional IAM and PAM controls?
A: AI agents complicate traditional IAM and PAM controls because those models assume stable entitlements and human-paced review cycles. Agents can chain tool calls, move across services, and complete tasks before a review process or ticket flow can react. The result is a control gap between the permission that exists and the action that should be allowed.
Q: What breaks when an agent uses a human credential for delegated work?
A: What breaks is accountability. Once the human credential is reused by the agent, downstream systems can no longer distinguish human intent from agent execution, and the audit trail loses the meaningful origin of the request. That makes incident reconstruction, policy evaluation, and consent validation much harder than they should be.
Q: Who should be accountable when agentic automation causes a security event?
A: Accountability should sit with the organisation that defined the delegation boundary, the policy owner who approved the runtime action, and the system owner who exposed the tool or workflow. If those roles are not explicit, agentic systems create shared responsibility gaps that look like technical problems but are really governance failures.
Technical breakdown
Why human-style sessions fail for agent authorization
Traditional IAM assumes access remains stable long enough to be reviewed, recertified, and reconciled after the fact. Agents do not fit that timing model. They can run continuously, change paths between tool calls, and complete consequential actions before a quarterly review or ticket workflow can react. That makes session-based governance too slow for the decision point that matters. The technical issue is not only authentication, but the location and timing of the authorisation decision. For agentic systems, the decision must be evaluated at the moment of action, with current context attached.
Practical implication: Place policy evaluation at the point of action, not only at login or provisioning.
Delegation chains and token exchange in agentic workflows
A delegation chain becomes visible only when each hop preserves who initiated the action, which actor is acting now, and what authority was passed forward. If an agent borrows a human credential and the chain is collapsed, the audit record loses the critical distinction between user intent and agent execution. Token exchange patterns such as RFC 8693 preserve that delegation boundary by carrying audience and actor claims across hops. Without that structure, downstream services see a valid credential but not the real origin of the request or the scope of consent.
Practical implication: Keep delegation explicit across hops so downstream services can evaluate the actual actor and scope.
Dynamic authorization and decision records for agent actions
Dynamic authorization evaluates human, agent, tool, route, resource, purpose, and session state together instead of treating access as a fixed role. That matters because the right answer can change while the agent is still running. A simple access log says a token was valid, but it does not explain why a high-risk action was allowed or which policy version produced the decision. Decision records fill that gap by recording the policy basis, the context seen, and the outcome at each hop. In agentic environments, those records are the difference between traceability and guesswork.
Practical implication: Log the decision, context, and policy basis at every hop so agent actions are explainable after the fact.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agent authorization is now the vault problem, not the inventory problem. Identity still matters, but identity only gets the agent into the building. The decisive question is whether the system can stop or permit a concrete action when that action reaches money movement, data exposure, or production change. That is where conventional IAM loses leverage and where authorization must move to the exact control point. Practitioner conclusion: re-centre governance on the action that can cause harm, not the label attached to the actor.
Dynamic authorization is the right category because static access models are structurally too slow. RBAC and quarterly access reviews were designed for stable entitlements, not for actors that can fan out through tools and change execution paths mid-task. The useful frame is a bundle of evidence: identity, action, object, context, delegation, and session state. That bundle is what an agentic policy decision must evaluate. Practitioner conclusion: treat policy as runtime decisioning, not as a one-time permission grant.
Delegation collapse is the named failure mode this topic exposes. Human-shaped IAM assumes a stable person sits behind the action long enough for governance to anchor accountability. That assumption fails when an agent acts through multiple hops and the human disappears from the chain. The implication is not simply that more controls are needed. The programme itself must recognise that accountability cannot rely on an originator that is no longer visible at the point of consequence. Practitioner conclusion: preserve delegation as a first-class governance object.
Agent governance will converge on policy-evaluated infrastructure rather than application-by-application exceptions. The work is moving toward a runtime layer that gateways, MCP servers, tool calls, and services can all consult before an action becomes real. That direction is consistent with the broader NHI governance trajectory: controls need to follow the workload across surfaces instead of living inside one product boundary. Practitioner conclusion: align identity, application, and platform teams around a shared decision plane.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- That gap becomes more dangerous when paired with lifecycle failures, which is why the 52 NHI Breaches Analysis is the right next read for understanding what persistent exposure looks like in practice.
What this signals
Delegation collapse: agentic programmes need a governance model that preserves the actor chain from initiation to consequence, because once the human disappears from the path, standard IAM evidence becomes incomplete. Teams that still anchor control in long-lived sessions will find that their review cycles miss the most important decisions.
The next maturity step is to treat runtime policy as part of the application and platform fabric, not as an afterthought. That usually means aligning agent governance with zero trust thinking, where the decision is always contextual and the authority is always constrained to the current action.
With 97% of NHIs carrying excessive privileges, per Ultimate Guide to NHIs, the pressure to narrow agent authority is not theoretical. The practical response is to shrink the set of actions an agent can reach without human review and to prove why each remaining action is allowed.
For practitioners
- Map the vaults first Identify the tools, APIs, data stores, workflows, credentials, and transactions where an agent action can create real harm. Prioritise the places where policy must decide before the action completes, not after the session ends.
- Preserve delegation at every hop Use token exchange or equivalent claims propagation so each downstream service can see the actor chain, audience, and delegated authority. Do not let an agent inherit a human credential without a traceable boundary.
- Move policy evaluation into the runtime path Evaluate access where the action becomes real, whether that is a gateway, MCP server, application service, or data layer. Keep the policy decision close enough to inspect current context and stop high-risk actions in flight.
- Log decision records, not just access events Record the policy version, context, delegated actor, and outcome for each consequential hop. Use those records to reconstruct why an agent was allowed to act, not just that it connected successfully.
- Treat agent access as a governance design review item Put IAM representation into API, tool, and workflow design reviews so teams decide the authorisation boundary before implementation hardens the wrong assumption. The review should answer who decides, at what point, and with what evidence.
Key takeaways
- AI agents shift the IAM control point from identity discovery to action-time authorisation.
- Human-shaped review cycles cannot reliably govern continuous tool use, delegation chains, or mid-session scope changes.
- Teams should design runtime policy, explicit delegation, and decision records before agent adoption spreads further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agent tool use and runtime decisions raise agentic AI authorization risk. |
| NIST CSF 2.0 | PR.AC-4 | Dynamic access decisions map to least-privilege and access enforcement. |
| NIST Zero Trust (SP 800-207) | PL-1 | Zero trust requires continuous verification for every consequential request. |
Apply least-privilege controls at the decision point where an agent action becomes real.
Key terms
- Agent Authorization: Agent authorization is the decision process that determines whether a software agent may take a specific action at runtime. It evaluates context, delegated authority, and resource sensitivity at the moment of execution, not only at login or provisioning time.
- Delegation Chain: A delegation chain is the traceable path of authority passed from one actor to another across a workflow. In agentic systems, it must preserve who initiated the action, who is acting now, and what scope was transferred so accountability does not disappear between hops.
- Decision Record: A decision record is an audit artefact that explains why a policy allowed or denied an action. It typically includes the policy version, the context evaluated, the actor chain, and the outcome, which makes it more useful than a simple access log for agent governance.
- Runtime Policy: Runtime policy is access control that evaluates a request while the system is executing, using current conditions rather than static roles alone. For agents, it is the practical mechanism that keeps authorisation aligned with changing context, tool use, and delegated actions.
Deepen your knowledge
Agent authorization, delegation chains, and runtime policy evaluation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agents that act through tools and services, it is worth exploring.
This post draws on content published by Cerbos: EIC 2026 analysis of AI agent authorization, delegation, and runtime policy. Read the original.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
