Agent sprawl is breaking identity governance for autonomous systems

At a glance

What this is: Agent sprawl is turning AI agents into a fast-growing identity class whose credentials, scopes, and access paths outpace traditional IAM controls.

Why it matters: IAM teams now have to govern autonomous behaviour, non-human credentials, and human approval chains as one lifecycle problem instead of separate control domains.

By the numbers:

• Gartner projects that 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.
• Organizations are expected to have 50x to 80x more agents than human users in their environments within that same window.

👉 Read Strata Identity's analysis of agent sprawl and AI identity governance

Context

Agent sprawl is the uncontrolled growth of AI agents, their credentials, and their access paths across enterprise systems. The first problem for identity teams is not model risk, it is governance scale: every new agent behaves like a new identity subject with its own tokens, scopes, and lifecycle.

This matters because the operating assumptions behind traditional IAM were built for stable users, slow role change, and reviewable access. When agents are deployed quickly across databases, APIs, and internal services, over-provisioned OAuth scopes, reused service accounts, and long-lived tokens create an access surface that outpaces review cycles.

Key questions

Q: How should security teams handle agent sprawl in enterprise environments?

A: Start by treating every AI agent as a governed identity subject with its own lifecycle, credential path, and access scope. Then enforce task-scoped permissions, remove standing access wherever possible, and require all tool use to pass through a sanctioned identity control plane. If the programme cannot inventory those identities, it cannot govern them.

Q: Why do agentic workflows break traditional IAM assumptions?

A: Traditional IAM assumes identities are relatively stable and can be reviewed on a human cadence. Agentic workflows break that assumption because access can be created and consumed during execution, often before a review process can observe it. That makes static entitlements, long-lived tokens, and slow certification cycles structurally mismatched to the behaviour being governed.

Q: What do security teams get wrong about OAuth scopes for AI agents?

A: Teams often grant broad scopes to make an agent work quickly, then assume later review will contain the risk. In practice, broad scopes become standing privilege, and standing privilege is what expands blast radius when a token is reused, leaked, or inherited by another workflow. The scope decision must be tied to the exact task, not the demo requirement.

Q: How do organisations stop agents from bypassing identity governance controls?

A: They need to eliminate direct access paths that sit outside the policy layer, including shadow connectors and ad hoc integrations. Every agent request should be forced through the governed identity layer so the organisation keeps intent, policy enforcement, and auditability intact. If those signals are missing, governance is already incomplete.

Technical breakdown

Runtime access control for agent identities

Agentic systems do not just request access, they decide when to act, which tool to invoke, and whether to continue a workflow. That changes the identity control problem from session management to runtime authorisation. Ephemeral credentials, token downscoping, and continuous policy evaluation become necessary because the access need is created during execution, not fully known in advance. Static entitlement models cannot safely express task-scoped access when intent is only revealed during the session.

Practical implication: Treat every agent session as a bounded execution context and enforce policy at the moment of tool use, not only at provisioning.

Why standing privilege fails in agentic workflows

Standing privilege assumes the identity will remain in a stable state long enough for review, certification, and revocation to work. Agentic workflows break that assumption because access can be created, consumed, and extended faster than human governance cycles can observe. Once a shared service account or long-lived token is reused across agents, the blast radius expands silently across tasks, teams, and applications. The failure mode is not just excess privilege, but privilege drift at machine speed.

Practical implication: Remove persistent access paths from agent workflows and tie each permission grant to a specific task and scope.

Why MCP bypasses are an identity governance issue

When developers route agents around sanctioned access paths through ad hoc connectors or direct integrations, the control plane loses visibility into intent, policy enforcement, and auditability. That creates a shadow access layer where the identity exists, but governance does not. In practice, the problem is not the protocol itself, but the fact that unmanaged pathways let agents operate outside the identity fabric. Once that happens, review and detection become incomplete by design.

Practical implication: Inventory every non-sanctioned agent connector and require all tool access to pass through a governed identity layer.

Threat narrative

Attacker objective: The attacker aims to turn one agent credential into repeatable access across multiple internal systems and workflows.

1. Entry occurs when developers provision service accounts, API keys, or OAuth tokens to make an agent work quickly, often with over-broad scopes. The initial foothold is legitimate access that was granted without tight task boundaries.
2. Escalation follows when the same credentials are reused across multiple agents or applications, allowing standing privileges and privilege drift to accumulate. The access path broadens as tokens remain valid long after the original task ends.
3. Impact appears when compromised or leaked agent credentials are used to reach databases, internal services, or APIs at scale. At that point, the attacker inherits machine speed access across multiple workflows and systems.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent sprawl is now an identity governance problem, not an AI experimentation problem. The article’s core finding is that every new agent creates a credential path, an access path, and a review burden that classic IAM never sized for. That means security teams are no longer managing a tooling subset, they are managing a new identity population with machine-speed growth. The practitioner conclusion is straightforward: agent governance must be designed as part of identity architecture, not bolted on after deployment.

Standing privilege was designed for identities whose access state changes slowly and can be reviewed on a human schedule. That assumption fails when an agent can acquire, use, and extend access within a single task sequence. The result is assumption collapse, not just control weakness: the review model assumes there will be persistent access to certify, but the access lifecycle is too fast and too dynamic to fit that cadence. The implication is that governance teams must rethink the premise of reviewable persistence itself.

Token sprawl is the named failure mode this category now exposes. Over-provisioned OAuth scopes, reused service accounts, and long-lived tokens create a cumulative exposure pattern that looks harmless in isolation and dangerous in aggregate. The issue is not simply secret leakage, it is the multiplication of valid identity paths that can be abused across teams and tools. Practitioners should treat every additional token as an increase in identity blast radius, not just another credential to inventory.

MCP bypass and shadow connectors show how governance fails when agents can reach tools outside the sanctioned control plane. Once an agent uses a direct connector, the organisation loses policy enforcement and audit continuity at the same moment. That is a governance break, not only a technical shortcut. The practitioner implication is that sanctioned access paths must be the only paths that exist in production.

Identity orchestration is becoming the operating model for agentic access, but orchestration alone is not the same as control. The article correctly points toward runtime policy enforcement, attestation, and ephemeral access as the governing pattern. What matters is that the control plane matches the speed of agent execution. For practitioners, the real question is whether their identity architecture can downscope and expire access before the task completes.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For a broader control baseline, 52 NHI Breaches Analysis shows how identity failures repeatedly become breach enablers.

What this signals

Agentic access will force identity teams to collapse the distance between provisioning and enforcement. Programmes that still rely on periodic review will find that agent identity changes faster than certification cycles can track. The practical shift is toward runtime controls, automatic expiry, and governed access paths that cannot be bypassed without leaving a trace.

Identity blast radius is the concept practitioners should adopt for agent fleets. As more agents share credentials or inherit broad scopes, the security question is no longer whether one token is valid. It is how many systems that token can still reach before the organisation notices. With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, overpermission is already the norm, not the exception.

Zero Trust for agents requires identity-aware enforcement, not just network segmentation. That means aligning agent access with runtime policy, attestation, and continuous evaluation rather than assuming the application boundary will contain misuse. Teams that already use NIST AI Risk Management Framework language for AI governance should map it directly to identity control ownership and operational escalation.

For practitioners

• Audit every agent-issued credential path Map API keys, OAuth tokens, service accounts, and certificates used by agents, then identify where the same identity is reused across multiple applications or teams.
• Replace standing access with task-scoped grants Issue permissions only for a single workflow or tool invocation, and require automatic expiry when the task finishes so access does not persist for reuse.
• Route all agent tool access through a governed identity layer Block direct connectors and shadow integrations that bypass policy enforcement, then require every agent request to pass through the sanctioned control plane.
• Test for privilege drift at machine speed Simulate repeated agent actions across shared credentials to see where scopes expand faster than review cycles can detect them.

Key takeaways

• Agent sprawl turns AI deployment into an identity governance problem because each agent adds credentials, scopes, and access paths that compound quickly.
• The scale issue is already visible, with Gartner projecting agentic AI in 33% of enterprise applications by 2028 and 50x to 80x more agents than users.
• Task-scoped, runtime-enforced access is the control pattern that fits agent behaviour, while standing privilege and shadow connectors expand blast radius.

Key terms

• Agent Sprawl: Agent sprawl is the uncontrolled growth of AI agents, their credentials, and their access paths across an enterprise. It creates a governance problem because each agent behaves like a new identity subject with its own lifecycle, scopes, and review burden.
• Standing Privilege: Standing privilege is persistent access that remains usable outside the specific task that justified it. In agentic environments, it becomes especially risky because machine-speed actions can reuse or amplify the access before human review can intervene.
• Identity Orchestration: Identity orchestration is the control layer that routes identity decisions across applications and environments instead of letting each system manage access independently. For agents, it is the mechanism that can centralise policy, auditing, and downscoping at runtime.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and workflows a credential can reach if it is misused or exposed. For AI agents, the concept matters because one reused token can stretch across many automations, multiplying the impact of a single governance failure.

Deepen your knowledge

Agent sprawl, runtime access control, and task-scoped permissions are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is moving from human-centric IAM to agent governance, the course provides the right baseline.

This post draws on content published by Strata Identity: agent sprawl and AI identity governance. Read the original.