TL;DR: Businesses are adopting AI agents faster than security teams can govern them, and unvetted agents are being granted access to credentials, systems, and data, according to Bitwarden. The core problem is that existing access models assume stable, reviewable identities, while agentic workflows can create over-scoped access and unapproved actions before controls catch up.
At a glance
What this is: This is an analysis of how agentic AI is expanding shadow AI and credential exposure across enterprise workflows.
Why it matters: It matters because identity teams now have to govern AI agents alongside human and machine identities, or risk over-scoped access, unapproved actions, and data leakage.
By the numbers:
- 83% of IT leaders agree that business units are deploying agents faster than security teams can support.
👉 Read Bitwarden's analysis of agentic AI credential security and shadow AI
Context
Agentic AI changes identity governance because the actor is no longer just a user or a service account. It is a runtime entity that can be granted credentials, access data, and execute actions inside business processes, sometimes without explicit IT approval. That shifts the question from whether automation is useful to whether the organisation can actually govern the identity behind the automation.
Shadow AI is the practical symptom of that shift. Employees are already using agents inside workflows, and once those agents touch secrets, tickets, scripts, or administrative interfaces, the blast radius becomes an identity problem as much as an AI problem. The right control lens is not only policy enforcement, but also credential scope, approval boundaries, and auditability across human, machine, and agent access paths.
Key questions
Q: How should security teams govern AI agents that use corporate credentials?
A: Treat AI agents as distinct governed identities with task-scoped access, approval boundaries, and audit trails. The key is to restrict what the agent can see and do during a specific workflow, rather than giving it reusable standing access that can persist across sessions or spread into other tools.
Q: Why do AI agents create more access risk than ordinary automation?
A: AI agents can choose actions at runtime and may interact with multiple tools, data sources, and credentials inside one session. That makes the access decision harder to predefine and easier to over-scope, especially when teams assume the agent will behave like a fixed script.
Q: What do security teams get wrong about shadow AI?
A: They often focus on the unauthorized application and miss the credential path that makes it dangerous. The real issue is where the agent got access, what secrets it can reproduce, and whether those secrets can leak into prompts, logs, or downstream automation.
Q: Who should own AI agent access reviews and offboarding?
A: The same function that owns other identity governance decisions should own agent lifecycle controls, with clear accountability from the business owner to security and IAM. If agents can be created quickly but never formally retired, access reviews will miss the identities that drift furthest from their intended purpose.
Technical breakdown
Why agentic AI becomes an identity problem
Agentic AI is not just another application layer because it can act inside a workflow with delegated credentials. Once an agent can decide when to request access, what tool to use, and how to continue a task, the identity boundary moves from login to runtime behaviour. That makes the access decision harder to predefine, especially when the same agent may touch secrets, prompts, APIs, and administrative systems in one session. The failure mode is not simply excess permission. It is that the identity can be operationally useful while still being impossible to govern with static assumptions.
Practical implication: map AI agents to a distinct identity class and review where runtime behaviour exceeds the original access grant.
Shadow AI and credential exposure paths
Shadow AI appears when agents are introduced outside approved IT workflows, often by employees trying to increase productivity. The risky part is not only the application being unofficial. It is the credential path the agent inherits, including plaintext secrets in prompts, environment files, chat history, or copied API keys. If the agent can read or reproduce those credentials, the organisation loses control over where the secret can surface next. In practice, the exposure problem combines discovery, authorisation, and storage, which is why governance teams need to look beyond the agent itself and inspect the credential ecosystem around it.
Practical implication: inventory where agent-connected secrets live and remove any workflow that depends on visible or reusable credentials.
Just-in-time access for approved agents
Just-in-time access helps only when it is paired with a strict approval model and a clear task boundary. For AI agents, that means access must be task-scoped, time-bound, and mediated so the agent cannot reuse the same credential across unrelated actions. A password manager or secrets vault can support that pattern, but the control objective is governance, not convenience. The important distinction is between letting an agent fetch a secret for a single approved task and letting it accumulate standing privilege that outlives the job it was meant to do.
Practical implication: treat agent access as ephemeral task execution, not a standing entitlement that can be reused across sessions.
Threat narrative
Attacker objective: The objective is to harvest credentials or misuse agent access to reach sensitive systems and data without triggering normal approval or review controls.
- Entry occurs when employees introduce unapproved AI agents into business workflows and connect them to corporate credentials or data sources.
- Escalation follows when the agent receives over-scoped access, allowing it to retrieve secrets, touch systems, or execute actions beyond the intended task.
- Impact occurs when unapproved actions, data leakage, or credential exposure disrupt operations, reveal business information, or create breach conditions.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Shadow AI is an identity governance failure, not just an adoption problem: once employees can attach agents to real credentials without approval, the organisation has lost visibility into who or what is acting. That breaks the basic governance assumption that access is discovered, approved, and reviewed before it is operationalised. The practitioner implication is that agent governance must be folded into the same oversight model used for machine identities and privileged access.
Ephemeral access reduces exposure, but it does not remove trust debt: agentic workflows can still leak secrets into logs, prompts, or downstream tools even when the credential itself is short-lived. That means the control issue is not only rotation cadence, but also whether the identity ever needed to see reusable secrets at all. Teams should read this as a signal that secret visibility is becoming a first-class risk variable.
Runtime authorisation is the new control plane for AI agents: static entitlement models assume the operator and the task are known when access is provisioned. Agentic systems break that assumption because tool choice and execution order can vary during the session. The implication is that identity governance must move toward task-scoped authorisation, not just account-level permissioning.
Agent access needs lifecycle governance, not one-time enablement: if a business unit can create agent access faster than security can support it, then provisioning without offboarding becomes the hidden failure mode. Access reviews that ignore AI agents will miss the identities most likely to drift beyond their original purpose. Practitioners need to treat agent identity lifecycle as a standing governance domain, not an experiment.
Named concept, shadow AI credential drift: this is the pattern where an unapproved agent gains access through a legitimate credential, then spreads that access through prompts, logs, or downstream automation. The organisation thinks it authorised a task, but it actually authorised a movable trust surface. Teams should measure drift between intended task scope and actual runtime access.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- For a broader control framework, see OWASP Agentic AI Top 10 for the runtime risks that make agent governance a separate discipline.
What this signals
Shadow AI credential drift: the next governance failure will not be a single malicious agent, but a normal business user quietly attaching an agent to real credentials and letting it operate outside approved boundaries. That is why identity teams need to track agent access paths with the same discipline they apply to privileged human access and machine accounts.
With 96% of technology professionals already identifying AI agents as a growing security threat, the reader should expect pressure to build for formal ownership, approval, and audit models rather than ad hoc adoption. The practical question is no longer whether agents will enter the estate, but whether the identity programme can see and contain them.
NHI governance now has a direct agentic AI dependency. If security cannot answer which agent touched which secret, then incident response, compliance evidence, and access certification all weaken at the same time, which is why this topic belongs in the core identity roadmap rather than the AI sandbox.
For practitioners
- Classify AI agents as governed identities Assign ownership, approval, and review paths to agents that touch production data, secrets, or admin workflows. Do not leave them inside generic automation inventories, because that hides the identity risk behind tooling labels.
- Remove reusable secrets from agent-visible workflows Replace plaintext credentials, copied API keys, and long-lived tokens wherever agents can read them directly. If an agent must access a secret, inject it only for the approved task and keep it out of prompts, logs, and persistent memory.
- Gate agent access with task-scoped approvals Require explicit human-in-the-loop approval for high-risk agent actions, especially when the workflow reaches administrative systems or sensitive data stores. Scope the permission to the specific task so the agent cannot reuse it elsewhere.
- Audit shadow AI by application and credential path Map which applications agents are using, which identities they inherit, and where their credentials originate. Prioritise the flows that combine unapproved usage with privileged access, because those paths create the largest hidden exposure.
Key takeaways
- Agentic AI becomes an identity problem the moment it can inherit real credentials and act without explicit approval.
- The strongest evidence is operational, not theoretical: many organisations can already see agents acting beyond intended scope or outside audit visibility.
- Practitioners should govern AI agents as distinct identities with scoped access, lifecycle ownership, and strict secret visibility limits.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agent runtime access and tool use are central to this article. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secrets exposure and over-scoped access are core NHI failure modes here. |
| NIST CSF 2.0 | PR.AC-4 | The post focuses on access control and identity governance across agent workflows. |
Treat agent access as privileged access and align approvals, reviews, and monitoring to the access path.
Key terms
- Shadow AI: Shadow AI is the use of AI tools or agents inside an organisation without approved governance, visibility, or oversight. In identity terms, it becomes risky when those agents inherit real credentials or data access that security teams cannot track, review, or revoke.
- Agentic AI identity: Agentic AI identity is the governed identity assigned to an AI system that can choose actions, call tools, and execute tasks at runtime. Unlike a simple automation account, it must be managed as a distinct actor with scoped permissions, auditability, and lifecycle ownership.
- Task-scoped access: Task-scoped access is permission granted only for a specific job, session, or workflow step. For AI agents, the access should exist only long enough to complete the approved task, then disappear, so the agent cannot reuse the same entitlement elsewhere or expose reusable secrets.
- Credential drift: Credential drift is the gap between the access a workflow was meant to use and the access it actually accumulates over time. In agentic environments, drift often appears when a tool, prompt, or integration expands a secret's reach beyond the original approval boundary.
What's in the full article
Bitwarden's full analysis covers the operational detail this post intentionally leaves for the source:
- The specific Bitwarden workflows for Secrets Manager, Access Intelligence, Agent Access SDK, and MCP server deployment.
- Operational guidance for using just-in-time access and human-in-the-loop approvals with approved agents.
- The product-level distinctions between end-to-end encryption, zero-knowledge handling, and self-hosted AI assistant integration.
- Practical examples of how Bitwarden positions agent access across development, admin, and password management use cases.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org