Agentic AI governance is lagging deployment velocity in enterprises

At a glance

What this is: This is Strata Identity's analysis of why agentic AI is creating identity and governance gaps that traditional IAM cannot cover, especially around runtime access, MCP, and delegation chains.

Why it matters: It matters because IAM, IGA, PAM, and zero-trust teams now have to govern identities that act at machine speed, making static reviews and human-centred controls insufficient across NHI, autonomous, and human programmes.

By the numbers:

• Gartner projects that 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5% in 2025.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Strata Identity's analysis of agentic AI governance and runtime identity controls

Context

Agentic AI introduces an identity governance problem because agents do not just consume access, they initiate actions, chain tools, and make runtime decisions that can change from one execution to the next. The article argues that the gap is not simply more access, but a mismatch between machine-speed behaviour and IAM controls designed for static users and predictable service accounts.

In practice, this is a cross-programme issue for NHI, autonomous, and human identity teams. Human authorisation may start the workflow, but the security boundary shifts to the agent identity, its delegated authority, and the controls governing tools such as MCP.

The primary keyword here is agentic AI governance, and the article's central claim is that governance must move into the identity layer rather than sit outside it as a periodic review process.

Key questions

Q: How should security teams govern AI agents that access internal APIs and tools?

A: They should govern AI agents through runtime identity controls, not just static roles or quarterly reviews. Each agent needs a distinct identity, task-scoped access, and policy checks at the point of action so permissions are evaluated against the current request, the initiating user, and the full delegation chain.

Q: Why do AI agents complicate zero trust and IAM models?

A: AI agents complicate zero trust because they make decisions and invoke tools at machine speed, often across multiple systems in one session. Human-era IAM assumes access is stable long enough to be reviewed, but agent behaviour changes within the workflow, which forces continuous verification at runtime.

Q: What breaks when AI agents use shared service accounts or hardcoded credentials?

A: Shared service accounts and hardcoded credentials destroy provenance and expand blast radius. Security teams lose the ability to tell which agent performed an action, whether the action matched the original task, and whether the access path was still valid when the tool was invoked.

Q: How do organisations keep delegation chains accountable in multi-agent workflows?

A: They need every hop to preserve traceability back to the original human request and approved scope. That means using delegated authorisation, proof-of-possession controls, and auditable policy decisions so downstream actions cannot silently acquire broader authority than the request justified.

Technical breakdown

Runtime identity controls for AI agents

Agentic systems need runtime identity because a task-scoped decision is only trustworthy at the moment it is made. In this model, the identity layer becomes the enforcement point for authentication, authorisation, token issuance, and auditability. The article distinguishes this from traditional IAM by showing that static roles cannot describe an agent that may plan, invoke a tool, and delegate again within a single workflow. Ephemeral identities, just-in-time token minting, and policy checks at the point of action are the architectural shift, not an add-on.

Practical implication: security teams should treat agent identity as a live control plane, not as an extension of human SSO or service-account governance.

MCP governance and tool access boundaries

The Model Context Protocol gives agents a standard way to reach tools and data sources, which makes it both useful and sensitive. If MCP requests are not validated at an enforcement point, teams lose the ability to separate sanctioned tool use from bypass paths, shortcuts, and direct backend access. The article frames MCP as a first-class access channel, meaning it needs identity binding, authorisation checks, and logs just like an API gateway or privileged access layer. Without that, governance becomes advisory rather than compulsory.

Practical implication: organisations should place policy enforcement in front of MCP-enabled tooling instead of relying on downstream application controls.

Broken delegation chains in multi-agent workflows

A delegation chain is the trace of authority from the human requester through one agent to another and finally to the target system. The risk arises when downstream agents receive fresh credentials or broader access that no longer maps cleanly to the original human intent. That breaks accountability, because the organisation can no longer prove who authorised which action or under what scope. The article's emphasis on OAuth On-Behalf-Of and proof-of-possession reflects this issue: the technical challenge is preserving traceability across hops, not simply authenticating each hop separately.

Practical implication: teams should verify that every delegated action remains traceable back to the originating user and task scope.

Threat narrative

Attacker objective: The objective is to obtain agent-driven access that exceeds intended scope while preserving enough legitimacy to evade normal IAM and audit controls.

1. Entry occurs when an enterprise deploys an agent with customer-data access, internal API reach, or MCP connectivity before governance is fully established. Legitimate onboarding becomes the entry point because the agent is trusted to act from the start.
2. Escalation happens when the agent accumulates excess scopes, reuses service-account credentials, or reaches systems through alternative paths outside the sanctioned MCP flow. The result is scope drift that expands what the agent can do without a corresponding governance decision.
3. Impact follows when chained actions, broken delegation, or unobserved tool use produce unauthorised data access, policy bypass, or untraceable execution across cloud environments.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI governance is an identity problem before it is an application problem. The article is right to place enforcement at the identity layer because every meaningful agent action starts with an access decision. That means security teams should stop treating agent governance as a wrapper around model usage and start treating it as a control problem that spans authentication, authorisation, and delegation. The practitioner takeaway is clear: if identity does not gate the action, governance is not actually present.

Runtime control is the only meaningful boundary for agents that make thousands of access decisions per minute. Quarterly reviews and static role design were built for slower, persistent identities. Agentic systems compress the decision cycle so aggressively that access can be over-scoped, used, and forgotten before a reviewer ever sees it. The implication is not simply that teams need more monitoring, but that governance cadences built for humans no longer match the operational tempo of agents.

Broken delegation chains are the category's accountability failure mode. When a human request is converted into a chain of agent actions, the original authorisation can be lost if each hop mints fresh privilege or obscures provenance. That is a governance failure because the organisation can no longer attribute downstream behaviour to a clearly bounded human intent. Practitioners should read this as a warning that delegated authority must remain reconstructable across the entire chain.

Agentic AI exposes privilege drift as a named concept worth tracking separately from ordinary over-provisioning. In agent systems, privilege drift is not gradual role creep. It is rapid scope expansion caused by workflow convenience, reused credentials, and uncapped tool access. That matters because the exposure is created at runtime, which means the control problem sits with policy enforcement at the moment of action, not with periodic clean-up after the fact.

The market is converging on identity orchestration as the governance layer for agentic systems. The article shows why teams are moving away from framework-specific fixes and toward controls that can span LangChain, CrewAI, OpenAI, and cloud-native environments. That signals a broader shift in the category: agent security will be judged by whether it can unify identity, policy, and observability across heterogeneous execution paths. Practitioners should expect platform consolidation around this control plane.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• To explore the governance side of this pattern, read OWASP Agentic Applications Top 10 for a framework view of runtime agent risk.

What this signals

Privilege drift is becoming the default failure mode for agentic deployments. As teams scale agents across cloud and SaaS systems, the governance problem is no longer whether access exists but whether access can still be explained at runtime. With 96% of technology professionals identifying AI agents as a growing security threat, the operating assumption should be that every new agent expands review burden unless identity controls move into the workflow.

Agentic governance will increasingly be judged by observability, not intent. If teams cannot trace tool use, delegated authority, and policy decisions in a form that supports audit and incident response, the programme will fail at the first serious review. That makes identity telemetry, decision logging, and policy evidence central to NHI and AI governance rather than optional extras.

Identity orchestration is becoming the practical bridge between NHI and agentic AI controls. Organisations already struggling to govern service accounts and secrets will find that the same patterns reappear in agent identities, only faster and more dynamic. The prudent move is to align agent controls with existing NHI foundations, then extend them to runtime policy and delegation visibility.

For practitioners

• Inventory every agent identity and delegated path Map each agent to the human user, service account, API token, and downstream tools it can reach. Include MCP endpoints, direct backend connections, and any shadow deployments that sit outside security governance.
• Move authorisation to the moment of action Require policy evaluation at runtime for each tool invocation, rather than relying on provisioning-time role assignment. Tie access to task scope, initiating user, and the current delegation chain before allowing the action to proceed.
• Replace shared credentials with task-scoped agent identities Issue ephemeral identities for agents and revoke them when the task ends. Eliminate hardcoded API keys and reused service accounts because they hide provenance and widen blast radius across cloud environments.
• Enforce MCP as a controlled access channel Place an enforcement point in front of every MCP request so the agent identity, policy, and audit record are validated before any backend call. Treat direct access routes as governance exceptions that require explicit approval.
• Test delegation chains under failure conditions Simulate agent-to-agent handoffs where downstream actions are denied, rerouted, or re-issued with broader credentials. Confirm the organisation can still reconstruct who authorised the workflow and what authority was actually used.

Key takeaways

• Agentic AI creates a governance gap because access is decided and used at runtime, while most IAM programmes still operate on static roles and periodic review cycles.
• The scale of the problem is already visible, with enterprise research showing that AI agents commonly exceed intended scope and often do so in ways that expose unauthorised systems, data, and credentials.
• The control that changes outcomes is runtime identity enforcement, especially where MCP access, delegated authority, and task-scoped credentials determine what an agent can do.

Key terms

• Agentic AI Governance: The set of identity, policy, and observability controls used to manage AI agents that can choose actions and invoke tools at runtime. In practice, it means governing what the agent may do at the moment it acts, not just what it was allowed to do at setup.
• Delegation Chain: The path of authority from a human requester through one or more agents to the final system or data source. A delegation chain is only trustworthy when each hop preserves provenance, scope, and auditability so downstream actions remain tied to the original intent.
• Privilege Drift: The gradual or rapid expansion of access beyond what a subject needs for the task at hand. For agents, privilege drift can happen inside a single workflow when convenient scopes, reused credentials, or chained actions accumulate more power than governance intended.
• MCP Bypass: Any access path that lets an agent reach tools or data outside the sanctioned Model Context Protocol enforcement point. It matters because governance only works when every route to the backend is subject to the same identity and policy checks.

Deepen your knowledge

Agentic AI governance and runtime identity controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agents that act across APIs, tools, and delegation chains, it is worth exploring.

This post draws on content published by Strata Identity: agentic AI governance, runtime identity controls, and MCP enforcement. Read the original.