Agent identity needs continuous authorization, not static login trust

At a glance

What this is: This is an analysis of why human authentication assumptions fail for agents, with continuous authorization, attribution, and mediated access presented as the minimum control plane.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern actors whose scope can drift after login, whose secrets must be mediated at use time, and whose actions must remain attributable across tools and sessions.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read 1Password's analysis of continuous authorization and agent identity

Context

Authentication still assumes that an identity can be verified once and trusted for a defined period. That model works best when the subject is human and the intent is relatively stable, but agentic systems do not stay within a fixed task boundary, which makes post-login behaviour the real governance problem for NHI and agent access.

The practical issue is not whether an agent can sign in. It is whether the programme can keep evaluating what that agent is doing after it has been granted access, especially when it starts calling new tools, reaching new data, and altering its own workflow mid-session. That is where continuous authorization, mediated secrets, and traceable delegation become identity controls rather than nice-to-have features.

Key questions

Q: How should security teams govern agent identity after login?

A: Security teams should govern agent identity as a runtime control problem, not a login problem. The key is to re-evaluate access as the workflow evolves, because agents can expand scope after authentication. That means step-level authorization, explicit delegation boundaries, and traceable action logs that preserve who authorised the agent and what authority it used.

Q: Why do agents complicate least-privilege design?

A: Agents complicate least-privilege design because their intent is not fully knowable at provisioning time. A human request can branch into new tools, files, or APIs after access begins, so static permissions quickly become either too broad or too restrictive. Least privilege still matters, but it must be enforced dynamically as the task unfolds.

Q: What breaks when secrets are given directly to an agent?

A: Direct secret handoff breaks the boundary between authority and execution. Once the secret enters the model context, it can be copied, reused, or misapplied outside the intended destination. That creates a larger trust surface than mediated access, where credentials are bound to specific systems and used without exposing the underlying secret to the agent.

Q: Who is accountable when an autonomous agent exceeds its intended scope?

A: Accountability should remain with the delegating organisation and the human or process that granted the authority, but only if the system preserves attribution across tools and sessions. Without durable execution traces, teams cannot reconstruct who authorised the action, which system executed it, or where the chain of authority broke down.

Technical breakdown

Continuous authorization for agent workflows

Continuous authorization means access is re-evaluated at each step of an agent’s workflow instead of being granted once at session start. That matters because agents do not always follow the task that originally justified access. A coding agent may begin with local file access, then decide it needs external documentation, a browser, or another API. Each step changes the risk profile, so front-loaded OAuth or OIDC consent is no longer enough on its own. The control problem is not authentication failure. It is scope drift after an apparently valid login.

Practical implication: enforce step-level policy decisions for agent actions, not just one-time login grants.

Attribution across tools, runtimes, and sessions

Attribution is the ability to trace an action back to the initiating human and the authority under which the agent acted. That is difficult because agents often cross multiple systems that log separately and use different identity forms, such as user identity in one place, a service account in another, and an API token elsewhere. Without a durable execution trace, investigators can see valid steps but not the full chain of authority. The control gap is not log volume. It is broken continuity between intent, execution, and accountability.

Practical implication: preserve execution traces that bind each action to both the agent and its delegator.

Mediated credential use and secrets handling

Mediated credential use keeps secrets out of the agent’s context window and routes access through a controlled layer such as a proxy, gateway, or injection layer. That design matters because once a secret is exposed to the model, it can be copied, reused, or abused outside the intended destination. Direct secret handoff is not delegation. It is uncontrolled transfer of authority. By binding credentials to specific destinations and using them at the point of use, teams reduce the chance that a compromised or overreaching agent can turn access into broader misuse.

Practical implication: broker secrets at use time and deny direct secret exposure to the agent.

Threat narrative

Attacker objective: The objective is to turn legitimate delegated agent access into broader, unattributed action across systems and tools.

1. Entry occurs when an agent receives legitimate delegated access to a task and begins operating within the allowed environment.
2. Credential access expands when the agent reaches beyond its original scope and uses newly reachable tools, files, or APIs without reauthorization.
3. Impact follows when the agent’s actions can no longer be cleanly attributed or constrained, allowing unintended execution to persist across systems.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication built for human stability breaks when the actor can change intent mid-session. The core premise of login-based trust is that identity and intent remain stable long enough for a session grant to be meaningful. That assumption fails when an agent can start with one task and decide it needs another tool or another dataset without a fresh human decision. The implication is not just weaker authentication, but a broken governance premise for agent identity itself.

Continuous authorization is the only control that matches agent behaviour, but it also reveals the failure of front-loaded consent models. OAuth and OIDC were designed around stable scopes and approval at the start of a session. Agents create intent drift after access is already live, which means the old model grants more authority than it can observe. The governance gap is not missing policy wording, it is a control architecture built for a different actor type.

Attribution is the named concept that now sits between delegation and accountability. For agents, traceability must survive across tools, runtimes, and sessions, or governance collapses into disconnected logs that prove nothing about authority. This is not an audit enhancement problem, it is a delegation-chain problem that spans human, agent, and infrastructure identity. Practitioners should treat attribution as a core identity property, not a forensic afterthought.

Mediated credential use shows that direct secret possession is an outdated trust assumption for agents. If a secret enters the model context, the authority travels with the prompt and can outlive the intended action. That breaks the premise that credentials are safely usable once identity has been verified. The implication is that secret handling for agents must be designed as bounded authority, not portable possession.

Agent identity governance now has to align identity, authorization, and execution into one control plane. Separate controls no longer hold together when an agent can act faster than a human review cycle and widen scope on its own. This shifts the field toward runtime governance, not stronger login ceremonies. Practitioners should re-centre their programmes on what the agent can do after authentication, not just how it got in.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot see the full non-human estate clearly.
• For a broader control baseline, 52 NHI Breaches Analysis shows how over-privilege and weak lifecycle governance translate into real incidents.

What this signals

Attribution is becoming the governance hinge for agent programmes. As agents move across tools and sessions, security teams need more than logs. They need traceable delegation that can survive operational handoffs, because once identity, authority, and execution split apart, audit becomes reconstruction rather than proof. For teams already using the Ultimate Guide to NHIs as a baseline, the next step is to apply that lifecycle thinking to agent workflows rather than only to static machine identities.

Continuous authorization is the practical expression of zero trust for agents. The old model of verifying once and trusting for a period no longer matches runtime behaviour, especially when the actor can introduce new tools or data paths mid-task. That shift aligns closely with the OWASP Top 10 for Agentic Applications 2026, which treats tool misuse, privilege escalation, and execution drift as first-class risks.

Mediated credentials should become the default control pattern for any production agent. If secrets are handed directly to the model, the trust boundary has already failed. Teams should treat point-of-use mediation, short-lived task scope, and auditable delegation as the minimum programme standards, then validate them against the identity patterns documented in 52 NHI Breaches Analysis.

For practitioners

• Map where authentication assumptions end Identify every workflow where a one-time login or approval currently governs later agent actions. Replace those paths with step-level authorization checks that re-evaluate scope when the agent requests a new tool, dataset, or API.
• Broker secrets at the point of use Keep credentials out of the agent context window and route access through a proxy or gateway that binds each secret to a specific destination. Treat any direct secret handoff as a governance failure, not a convenience.
• Bind every agent action to a delegator Preserve execution traces that connect each action to the initiating human and the authority under which the agent acted. Use those traces for incident response, audit, and policy enforcement across systems that otherwise log separately.
• Review delegation chains before production rollout Document which human, service account, and system identities participate in each agent workflow, then remove broad standing access where the chain cannot be explained clearly. Use the Ultimate Guide to NHIs for baseline lifecycle thinking and the OWASP Agentic AI Top 10 for runtime risk patterns.

Key takeaways

• Agentic systems invalidate the human assumption that authentication creates stable trust for the rest of a session.
• The scale of NHI privilege creep and poor visibility shows why runtime governance matters more than login-time assurance.
• Teams should redesign around continuous authorization, attribution, and mediated secrets before agent workflows reach production at scale.

Key terms

• Continuous Authorization: Continuous authorization is the practice of re-checking access as a task unfolds instead of trusting a one-time login decision. For agents, it matters because intent can shift mid-session, so scope must be evaluated at each action rather than assumed stable after authentication.
• Attribution: Attribution is the ability to trace an action back to the originating human and the authority under which an agent executed it. In agent governance, it requires durable traces across tools and sessions so audit and incident response can prove who delegated what and when.
• Mediated Credential Use: Mediated credential use means the agent never directly holds the underlying secret. Access is routed through a control layer that binds credentials to specific destinations, reducing the chance that secrets are copied into the model context or reused outside the intended workflow.
• Delegation Chain: A delegation chain is the path of authority from the human or process that initiated work through any intermediate identities the agent touches. For agentic systems, the chain must remain visible end to end, because accountability collapses when logs stop showing how authority moved.

Deepen your knowledge

Agent identity, continuous authorization, and mediated secrets are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for production agents, it is a practical place to start.

This post draws on content published by 1Password: continuous authorization, attribution, and mediated access for agents in production. Read the original.