TL;DR: A private Black Hat USA dinner on August 4 will bring CISOs together to discuss how agentic AI is expanding the identity attack surface and what that means for security teams, according to AuthMind. The real issue is not AI adoption itself, but whether identity governance can cope with runtime decision-making and tool use.
At a glance
What this is: This is a private Black Hat USA dinner focused on agentic AI, identity risk, and candid discussion among security leaders.
Why it matters: It matters because agentic AI changes how identity, privilege, and accountability must be governed across autonomous systems, service identities, and human oversight.
By the numbers:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
👉 Read AuthMind’s private dinner details on agentic AI identity at Black Hat USA
Context
Agentic AI identity is becoming a governance problem because these systems can act, choose tools, and reach data paths that were not designed for human-paced review. This dinner is framed around that shift, with the Black Hat USA timing underscoring that the question is no longer whether AI enters enterprise workflows, but how its identity and access are bounded once it does.
A private, no-slides discussion format is appropriate for this topic because the most useful questions are operational: who owns the identity, what authority is delegated, and what evidence exists when an AI system acts outside its intended scope. For security leaders, the real challenge is aligning IAM, PAM, and lifecycle governance to a class of actor that behaves differently from both users and service accounts.
Key questions
Q: How should security teams govern AI agents that can choose tools at runtime?
A: Security teams should treat runtime tool choice as a governance boundary, not just an engineering detail. Give each agent a separate identity, restrict the connectors it can use, and require logged approval for sensitive actions. If the agent can change scope mid-session, static provisioning alone will not contain the risk.
Q: Why do AI agents complicate least privilege and access reviews?
A: AI agents complicate least privilege because their intent is not fixed at provisioning time. Access reviews also struggle because an agent may acquire, use, and release privilege within a short execution window, leaving little stable state to certify. Governance must shift toward runtime evidence and scoped delegation.
Q: What breaks when agent identities are managed like service accounts?
A: Treating agents like ordinary service accounts hides the fact that they can make decisions, chain tools, and expand their own workflow paths. That causes governance blind spots around authorization, audit, and escalation. The practical failure is assuming a static account model can describe a dynamic actor.
Q: Who should be accountable when an AI agent overreaches its intended scope?
A: Accountability should sit with the team that owns the agent, the connectors it uses, and the policy that allowed the delegation. Shared responsibility is not enough if no one can explain the decision boundary, the review process, or the revocation path when the agent acts outside scope.
Background and context
Agentic AI identity versus conventional service accounts
A conventional service account executes within a pre-defined purpose, but an agentic AI system can select actions and tools at runtime, which changes the identity problem. The governance issue is not just authentication, but whether an identity can be trusted to decide what to do next without a human approval gate. That pushes this category beyond traditional workload identity and into a new access model where intent, scope, and timing all move during execution.
Practical implication: treat agentic AI as a distinct identity class and do not rely on static permissions to contain runtime behaviour.
Why identity attack surface expands when tools are connected
Agentic systems become riskier as they gain access to connectors, APIs, and external data sources, because each integration expands the reachable blast radius. The Model Context Protocol is one example of how agents can connect to tools and data, but the security consequence is that every connected path becomes part of the identity boundary. If those connections inherit broad standing privilege, the system can move from helpful automation to uncontrolled access very quickly.
Practical implication: inventory every tool connection and review the privilege attached to each one, not just the core agent.
What governance means when the actor can make decisions at runtime
When an AI agent can decide what action to take and when to take it, governance shifts from provisioning-time control to runtime supervision. That changes how teams think about least privilege, because privilege is no longer only about what was granted, but about what the system can assemble on the fly. The result is a need for tighter approval boundaries, auditability, and scoped delegation that survive dynamic execution paths.
Practical implication: require explicit logging, scoped delegation, and reviewable action trails for every agent decision that touches identity or data.
NHI Mgmt Group analysis
Agentic AI creates an identity category that existing IAM models do not fully describe. The problem is not simply that AI is accessing more systems, but that it can decide which systems to touch at runtime. That breaks the assumption that access can be fully understood at provisioning time, which is how most entitlement governance still works. Security leaders should treat agent identity as a separate governance object, not a special kind of service account.
Runtime decision-making is the point where least privilege starts to fail conceptually. Least privilege was designed for actors whose purpose and access path are known in advance. That assumption fails when an agent can chain tools, infer next steps, and select a new target without a fresh human request. The implication is that policy now has to govern decision boundaries, not just permission sets.
Tool connectivity is becoming the new identity blast-radius multiplier. Every external API, data source, or orchestration layer connected to an agent widens the number of identities and secrets that can be touched in one workflow. The article’s dinner format points to a conversation the market needs more of: how much delegated access is too much when the actor can improvise. Practitioners should re-evaluate connector governance before they expand agent adoption.
Agent governance will converge with PAM and lifecycle controls, but not merge into them. Human access review, NHI offboarding, and privileged session controls all remain relevant, yet none of them alone captures autonomous runtime behaviour. That means the discipline is moving toward a combined model of identity, privilege, and action governance. Teams that separate these functions too rigidly will miss the operational overlap.
Agentic AI is moving from experimental risk to board-level identity governance. The discussion being organised around Black Hat USA reflects where practitioner attention is going: away from model novelty and toward who can authorize, audit, and constrain agent behaviour. The next stage of maturity is not more AI usage, but clearer ownership of the identities that AI systems operate through. Security teams should prepare for governance questions that cut across IAM, PAM, and AI oversight.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- For a broader governance lens, see OWASP Agentic AI Top 10 for the control categories most likely to matter as agent deployments expand.
What this signals
Identity programmes should expect agent governance to become a distinct workstream. The operational signal is not just more AI use, but more delegated access paths that need ownership, logging, and revocation. The control model will increasingly look closer to privileged access governance than to simple application onboarding, especially where agents can act without a human in the loop.
Agent sprawl will expose the same visibility problem that has long affected NHIs. Once agents begin to proliferate, the first failure is usually not policy creation, but incomplete inventory and poor auditability. The practical implication is that teams need a lifecycle view of agents, connectors, and secrets together, because isolated controls will miss the full chain of exposure.
Runtime governance is becoming the differentiator for mature programmes. If an agent can access sensitive data, the decisive question is whether the organisation can explain and constrain that access in real time. That is where the discipline starts to overlap with Zero Trust Architecture and with the broader shift from static entitlement review to continuous verification.
For practitioners
- Map agent identities separately from human and workload identities Create a distinct inventory for AI agents, their tool connections, and the privileges they inherit. Do not fold them into generic service account reporting, because that hides the behaviours that matter for governance and audit.
- Review every connector for delegated blast radius Document which data sources, APIs, and admin endpoints each agent can reach. Then reduce the privileges attached to each connector so that one compromised or misbehaving agent cannot inherit broad access across the environment.
- Add runtime approval boundaries for sensitive agent actions Require step-up controls when an agent attempts actions that change permissions, expose sensitive data, or trigger downstream automation. The goal is to prevent unchecked action chaining when the system starts making decisions beyond its original scope.
- Align logging with agent decision paths Capture the reason an agent selected a tool, the data it accessed, and the action it took. Without that chain, reviews will show what happened but not why the identity system allowed it to happen.
- Test offboarding for agent identities before scaling deployment Make sure you can revoke an agent’s access, disable its connectors, and remove its secrets cleanly when the use case ends. If that workflow is unclear, the programme is not ready for broader agent adoption.
Key takeaways
- Agentic AI changes identity governance because the actor can decide and act at runtime, not just execute a pre-approved workflow.
- The evidence is already clear that most organisations cannot fully track or govern agent data access, so this is a current control gap rather than a future concern.
- Security teams should separate agent identities, connectors, and approval boundaries before broader deployment turns governance into incident response.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The topic is agentic AI identity and runtime tool use. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | AI agents function as non-human identities requiring lifecycle governance. |
| NIST AI RMF | GOVERN | AI governance and accountability are central to the topic. |
| NIST Zero Trust (SP 800-207) | Section 3.1 | Runtime verification and scoped access align with zero trust principles. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management are directly affected by agent behaviour. |
Enforce continuous verification and limit agent access to only the resources required for each task.
Key terms
- Agent Identity: An agent identity is the account, credentials, and governance wrapper used to represent an AI system in access control. It must be managed as a distinct actor because the system can take actions, invoke tools, and reach data paths at runtime rather than following a fixed human script.
- Runtime Governance: Runtime governance is the set of controls that monitor and constrain decisions while a system is executing. For AI agents, that means supervising tool use, data access, and escalation as they happen, because provisioning-time review alone cannot capture dynamic behaviour.
- Delegated Access Boundary: A delegated access boundary defines the limit of what an identity may do on behalf of another actor or process. In agentic AI, this boundary matters because tool chaining and automatic follow-on actions can push beyond the original delegation if the boundary is too broad or poorly monitored.
- Identity Blast Radius: Identity blast radius is the maximum operational damage an identity can cause if it is misused, compromised, or behaves outside scope. For agentic AI, the blast radius grows with each connected tool, data source, and privileged action path, making connector governance critical.
What to expect at the briefing
AuthMind's full post covers the event details this analysis intentionally leaves for the source:
- Dinner format, venue, and timing for the Black Hat USA private discussion.
- The host and moderator details for the leadership conversation.
- The reservation flow and seating constraints for the private room experience.
- The stated focus of the evening on agentic AI, identity, and what comes next.
👉 AuthMind’s full event page covers the dinner format, host details, and reservation information.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org