TL;DR: Agentic AI systems are expanding the enterprise attack surface faster than governance can keep up, with one source article noting that nearly 80% of organisations already deploy AI agents and that task-specific agent integration could reach 40% of enterprise applications by the end of 2026. The real issue is not AI capability, but identity control: agents accumulate privileges, chain tools, and operate beyond the review cadence built for human-paced access.
At a glance
What this is: The article argues that AI agents behave like identities with broad, expanding access, creating a new attack surface that traditional IAM and network controls do not govern well.
Why it matters: IAM, NHI, and security teams need to treat agents as governed identities because standing access, policy drift, and tool chaining can turn routine automation into uncontrolled internal reach.
By the numbers:
- Almost 80% of organizations are already deploying AI agents.
- Gartner predicts that 40% of enterprise applications will be integrated with task-specific AI agents by the end of 2026, up from less than 5% in 2025.
- 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the most dangerous attack vector.
👉 Read Zero Networks' analysis of agentic AI cybersecurity risks
Context
AI agents are software identities that can reason through tasks, call tools, and move across systems with little or no human approval between steps. That changes identity governance because the access pattern is not just automated, it is dynamic, open-ended, and capable of expanding while the session is still active.
The control gap is familiar even if the technology is not. Enterprises already struggle to maintain visibility into non-human identities, but agentic workflows add tool chaining, policy drift, and reasoning-layer manipulation to the problem. The result is an identity surface that can grow faster than most access review, segmentation, and approval processes were designed to handle.
Key questions
Q: How should security teams govern AI agents that can call tools across multiple systems?
A: Security teams should govern AI agents as non-human identities with explicit runtime boundaries. That means inventorying each agent, limiting the systems and APIs it can reach, and continuously checking observed behaviour against declared scope. If an agent can expand access through tool chaining or new context, the access model is already too loose.
Q: Why do AI agents create more identity risk than ordinary automation?
A: AI agents create more identity risk because they can select actions, invoke tools, and proceed through a task without a human approving each step. That makes privilege dynamic rather than fixed. The practical problem is not automation itself, but the combination of decision-making, tool access, and execution that can widen scope during a live session.
Q: What do teams get wrong about least privilege for AI agents?
A: Teams often treat least privilege as a one-time provisioning exercise, but agentic systems change scope as they receive new tools, instructions, or data. Least privilege only works if access is continuously compared with what the agent actually uses. Otherwise, the agent accumulates reach faster than governance can remove it.
Q: Who is accountable when an AI agent exposes data or misuses tools?
A: Accountability should sit with the team that owns the agent’s identity, access policy, and operating guardrails. If the agent can access multiple systems, responsibility also extends to the owners of those systems because shared reach creates shared risk. Governance should make ownership explicit before the agent is allowed to act.
Technical breakdown
Why agentic AI changes the identity model
An AI agent is not just another workload. It is a process that can reason toward a goal, select tools, and execute across multiple systems with minimal human intervention. That makes the identity problem different from standard automation: the same identity can expand its reach during runtime through new tools, broader context, or chained actions. In practical terms, privilege is no longer a fixed provisioning event. It becomes a moving target shaped by the agent’s task scope, the data it sees, and the systems it can reach.
Practical implication: Treat agents as governed identities with runtime access boundaries, not as static automation jobs.
Prompt injection, tool misuse, and identity spoofing
The dominant agentic threats do not require breaking cryptography. Prompt injection can redirect the agent’s reasoning, tool misuse can turn legitimate permissions into lateral movement, and impersonation can let attackers steal or reuse agent credentials. Because agents often authenticate across multiple services, one compromised credential can expose everything that identity was allowed to touch. In multi-agent workflows, malicious instructions can also propagate between agents, turning a single manipulated input into a broader compromise path.
Practical implication: Control what agents can see and invoke, and assume that one exposed identity can cascade across connected systems.
Why deterministic enforcement matters at the network layer
Agentic systems need policy enforcement that is deterministic, not best-effort. If a control allows occasional exceptions or inconsistent reach, the agent can traverse systems that were never intended to be in scope. Network-layer identity controls matter because they constrain which services, APIs, and data stores each agent can reach regardless of how the agent reasons. That is the point where least privilege becomes operational rather than theoretical: the permitted path must be narrow enough to contain misuse without breaking the workflow.
Practical implication: Enforce agent access with explicit, testable boundaries tied to observed behaviour, not deployment assumptions.
Threat narrative
Attacker objective: The attacker wants to hijack a trusted AI agent so they can move through internal systems using legitimate access rather than stolen perimeter credentials.
- Entry occurs when an attacker manipulates an agent through prompt injection, exposed APIs, or weak agent authentication, causing the system to accept hostile context or forged identity.
- Escalation follows when the agent uses its legitimate tool access to reach systems, data stores, or code paths that exceed the original task boundary, effectively turning authorised access into lateral movement.
- Impact lands when the agent reveals credentials, exposes sensitive data, or propagates malicious instructions through connected workflows and other agents.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic AI creates an identity problem before it creates a model-risk problem. The article is strongest when it treats AI agents as processes with identities, because that is where the governance failure starts. Once an agent can call tools, expand context, and act across systems without step-by-step approval, the issue is no longer just AI safety. The practitioner conclusion is that identity teams now own part of the agent security boundary.
Least privilege for AI agents is not a provisioning question, it is a runtime containment question. The source article shows how agents accumulate permissions through task scope, policy drift, and tool chaining. That means the traditional idea of a stable access package is already under strain. The field should reframe agent governance around observed behaviour, not declared intent, because declared intent changes faster than entitlement review cycles.
Access review was designed for identities whose privilege persists long enough to be reviewed. That assumption fails when the actor is autonomous because the same system can select tools, alter execution paths, and complete a task before any review cycle would see the state. The implication is not merely that reviews need to move faster, but that review-based governance is structurally mismatched to agent-timed access.
Identity blast radius is the right concept for agentic AI governance. The article repeatedly shows that the risk is not one failed control, but the spread of reachable systems, APIs, and data once an agent is over-scoped or manipulated. For practitioners, the question is no longer whether an agent can perform a task, but how far it can travel if one boundary fails. That makes containment the primary design variable.
Shadow AI becomes an identity discovery problem the moment agents can act independently. The article’s warning about undocumented agents and broad attack surfaces matters because unmanaged agents are not just unapproved software. They are unmanaged identities with reachable systems, active tokens, and hidden permissions. Practitioners should treat discovery as the first governance act, because you cannot constrain what you have not found.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Another finding from the same report shows that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- For adjacent context, see OWASP Agentic AI Top 10 for the control patterns most likely to matter when agents misuse tools or drift out of scope.
What this signals
Agentic AI will force identity teams to move from account administration to behaviour containment. As more AI systems are allowed to reason and act across internal tools, the programme question becomes whether access can be constrained at runtime instead of merely reviewed after the fact. That is why the governance model must shift toward observed identity behaviour, not only declared entitlements.
With 92% of organisations agreeing that governing AI agents is critical but only 44% having implemented policies, the operating gap is structural rather than accidental. Use AI Agents: The New Attack Surface report to benchmark how far your own programme has progressed from awareness to enforcement. The next control milestone is not more policy language, but continuous containment of agent reach.
Identity blast radius should become the planning metric for agent programmes. Once an AI agent can chain tools across systems, the relevant question is how far one identity can move if it is manipulated. That is the right frame for segmentation, review cadence, and incident containment, and it aligns naturally with OWASP Agentic AI Top 10.
For practitioners
- Inventory every active AI agent identity Build a live register of agents, their authentication method, the tools they can invoke, and the systems they actually reach in production. The goal is to compare declared scope with observed behaviour so hidden or over-scoped agents are visible before they become a security incident.
- Constrain agent reach with deterministic policy boundaries Apply explicit network and application-level access boundaries so each agent can only reach the services, APIs, and data stores it demonstrably needs. Test those boundaries under failure conditions, because inconsistent enforcement creates the opening for tool misuse and lateral movement.
- Separate observation from approval for high-risk agent actions Use monitoring to learn normal agent behaviour, then require tighter controls for actions that cross systems, expose data, or invoke sensitive tools. Pair this with review of high-risk paths, so runtime access does not silently expand beyond the original task.
- Track permission drift as a continuous control Reconcile agent entitlements after every new tool, integration, or workflow change. If the agent’s access footprint grows faster than the business use case, reduce scope immediately and document the exception as an identity risk, not just a platform issue.
Key takeaways
- AI agents behave like non-human identities with dynamic reach, which makes traditional IAM assumptions too static for agentic workflows.
- The source article reports that 80% of organisations have already seen agents act beyond intended scope, including unauthorised access, data sharing, and credential exposure.
- Practitioners need runtime containment, deterministic boundaries, and continuous visibility if they want agentic AI without expanding the identity blast radius.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article centers on agent tool misuse, prompt injection, and identity abuse. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | AI agents are treated as identities with access, tokens, and standing permissions. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article describes credential exposure and agent-driven movement across systems. |
| NIST CSF 2.0 | PR.AC-4 | The article is about governing access rights and boundaries for agent identities. |
| NIST AI RMF | MANAGE | Agentic behaviour requires ongoing risk treatment and operational control. |
Inventory agent identities and reduce over-scoped access to the minimum required function.
Key terms
- Agentic AI: Agentic AI is a system that can pursue a goal by selecting actions, invoking tools, and executing steps with limited human intervention. In identity terms, it behaves like a non-human actor whose permissions and runtime decisions must both be governed.
- Agentic Attack Surface: The agentic attack surface is the total set of systems, APIs, data stores, and services an AI agent can reach. It is broader than a single application boundary because the agent may chain access across multiple tools and services during one task.
- Tool Misuse: Tool misuse occurs when an attacker causes an AI agent to use its legitimate integrations in unintended ways. The access is not stolen in the classic sense, but the result is similar: authorised tools become the path to unauthorised actions or data exposure.
- Identity Blast Radius: Identity blast radius is the amount of damage a single identity can cause if it is compromised or manipulated. For AI agents, the blast radius depends on the number of systems, APIs, and datasets reachable from that identity, plus how quickly it can act.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- A four-step control roadmap for visibility, scope adjustment, enforcement, and policy lifecycle management
- The article's worked example of how agent behaviour can chain across exposed endpoints and production data paths
- Practical framing for deterministic, human-on-the-loop enforcement in AI agent environments
- Specific examples of the threat tactics the article groups under prompt injection, tool misuse, and impersonation
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org