Agentic AI identity governance in healthcare needs a new control model

At a glance

What this is: Healthcare agentic AI is moving from passive assistance to systems that act across clinical and administrative workflows, and that shift requires treating agents as governed identities.

Why it matters: IAM, NHI, and human access programmes all need the same basic answer: who or what is acting, what it can touch, and how quickly its access can be constrained when behaviour changes.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Imprivata's analysis of agentic AI identity risk in healthcare

Context

Agentic AI in healthcare means software can reason through a task, call systems, and complete multi-step workflows with limited human intervention. The primary governance problem is that these actors can now touch EHRs, scheduling, ordering, and administrative systems in ways that look operationally useful but are risky if identity and privilege are not tightly controlled.

The article frames AI agents as digital workers, which is the right starting point for IAM and NHI teams. Once an agent can act inside clinical systems, it needs identity, ownership, scope, monitoring, and revocation mechanics just like any other privileged actor in the environment. That is why the governance challenge is broader than application security and narrower than generic AI risk discourse.

Healthcare organizations already understand the need to distinguish between authenticated users, privileged staff, contractors, and vendor access. The next step is extending that discipline to agents that can behave continuously and at machine speed, while still keeping clinical accountability human-owned.

Key questions

Q: What breaks when AI agents are given broad access to healthcare systems?

A: Broad access breaks the assumption that workflow actions remain reviewable and predictable. In healthcare, an agent can move from helpful automation to unsafe execution if it can read records, schedule care, or trigger changes without tight scope boundaries. That creates patient-safety, privacy, and audit problems at the same time. The control failure is excessive delegated access, not model intelligence.

Q: Why do AI agents complicate identity governance in hospitals?

A: AI agents complicate identity governance because they can act continuously, cross systems in one workflow, and touch clinical data without a human-paced approval loop. Traditional IAM assumes a person logs in, acts, and can be reviewed later. Agentic behaviour makes access, action, and timing part of the same identity problem, so ownership, scope, and revocation have to be explicit.

Q: How do security teams know if an AI agent is operating outside its approved role?

A: Teams should compare actual workflow behaviour against the approved use case. Signs of trouble include unexpected record access, unapproved action types, new system paths after an update, or repeated attempts to exceed the intended scope. In healthcare, behaviour review matters as much as entitlement review because unsafe actions often appear first as workflow drift.

Q: Who is accountable when an AI agent causes a clinical access problem?

A: Accountability remains with the organization and the humans who approved, owned, and monitored the agent. The agent is a governed actor, not a responsible party. Healthcare teams should make ownership visible, keep audit trails clear, and define escalation paths before the agent is put into production. That is the only way to preserve clinical accountability.

Technical breakdown

Unique identity and delegated access for AI agents

An AI agent that can access healthcare systems needs a unique managed identity, not a shared account or opaque vendor credential. Identity is the control plane because it ties the actor to an owner, an approved scope, and an audit trail. In healthcare, that scope may include read access to records, scheduling actions, or workflow triggers, but it should never be assumed from the model or the application alone. If the agent can initiate actions across systems, identity governance must be able to answer what it is, who owns it, and which paths it may take.

Practical implication: create a distinct identity record for every approved agent and bind it to explicit ownership, scope, and revocation.

Constrained EHR access and workflow boundaries

EHR access is not a generic application entitlement because the same workflow can become unsafe when an agent can execute changes instead of recommending them. HSCC’s framing is useful here: autonomous or semi-autonomous agents should operate under constrained access, with sensitive actions gated by human confirmation where patient impact is possible. Least privilege in this context is not just about reducing blast radius. It is about preventing a workflow from crossing from assistance into execution without a clear control point.

Practical implication: separate read, suggest, and execute permissions for clinical workflows and require approval for any action that changes patient state.

Behavioural baselines, rogue detection, and auditability

Agentic AI changes the monitoring problem because the key question is no longer only whether the system was authenticated. The question is whether its behaviour matches the approved workflow over time. Behavioural baselines define the normal path through records, scheduling, and administrative systems, while rogue detection looks for deviations such as unexpected record access, unapproved actions, or altered behaviour after an update. In healthcare, those deviations matter because privacy, safety, and operational integrity are tied together.

Practical implication: log agent actions at the workflow level, baseline normal behaviour, and route deviations into incident triage before they spread.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI in healthcare should be governed as a managed insider category, not as ordinary application logic. HSCC is right to call for threat modeling, identity management, credential control, and constrained EHR access because the actor is no longer passive software. Once an AI system can move through multiple clinical systems and complete a workflow, it behaves like a workforce member with delegated authority. Practitioners should reframe governance from application-centric approval to identity-centric control.

Identity is the control plane for clinical agent governance, because patient risk follows access, not model sophistication. A scheduling agent with broad entitlements can disrupt care, and an ordering agent with excessive scope can create unsafe changes even when the underlying model performs as designed. That means the security question is not whether the AI is smart enough, but whether its access is bounded tightly enough to keep clinical consequences inside approved limits. Practitioners should align AI oversight with privileged access discipline.

Clinical identity governance now has to bridge human accountability and non-human execution. Humans remain responsible for the outcome, but the agent may act continuously at machine speed between review cycles. That creates a governance gap that human IAM alone cannot absorb and NHI controls alone cannot close without workflow context. Practitioners should treat agent oversight as a cross-domain identity problem spanning ownership, authorization, and revocation.

HSCC’s agentic AI guidance exposes a named failure mode: unconstrained EHR access. The assumption behind conventional access models is that the actor’s scope is stable, reviewable, and easy to explain after the fact. That assumption fails when an agent can traverse records, scheduling, and administrative systems in a single workflow with no human pause. The implication is that access governance must be redesigned around bounded execution, not around static entitlements.

Behavioral baseline drift is becoming the most practical way to detect unsafe agent behaviour in healthcare. The article’s emphasis on rogue detection and monitoring is directionally correct because agent risk often shows up as deviation from expected workflow, not as a signature-based threat. A system that starts reading records it should not, taking new paths after an update, or attempting unapproved actions is revealing a governance failure. Practitioners should make behaviour review part of routine identity operations.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 52 NHI Breaches Analysis shows how standing access and delayed revocation turn governance gaps into repeatable breach patterns.

What this signals

Agentic healthcare governance will increasingly look like privileged access management plus workflow control. Hospitals that treat agents as ordinary applications will miss the operational reality that these systems can act continuously and at machine speed. The programme shift is toward explicit ownership, bounded execution, and reviewable behaviour rather than broad model approval.

Only 5.7% of organisations have full visibility into their service accounts, which is a warning sign for agent oversight as well. If teams cannot reliably inventory non-human access, they will struggle even more when the actor can change behaviour mid-session. That is why visibility, entitlement review, and revocation need to be built into the same operating model.

Constrained EHR access is the right conceptual anchor for this category, and it should sit alongside zero trust thinking. The issue is not whether the model is useful, but whether the identity behind it can be contained when its behaviour shifts. Healthcare security leaders should prepare for agent monitoring to become a standard part of identity operations, not a separate AI project.

For practitioners

• Inventory every approved agent identity Map each agent to an owner, a business purpose, the systems it can touch, and the exact workflow it is authorised to support. Remove any agent that only exists as a shared credential, embedded secret, or vague platform feature with no accountable owner.
• Separate suggest from execute permissions Design clinical workflows so agents can recommend, prepare, or queue actions without being able to finalise record changes, schedule changes, or order modifications unless a human approves the step.
• Set behavioural baselines for clinical workflows Define expected record access paths, action sequences, and system touchpoints for each agent, then review deviations as access events rather than only as application anomalies.
• Add a rapid revoke path for agent credentials Ensure security and operational teams can disable an agent before it completes a task chain if it starts accessing the wrong patient context, taking an unexpected workflow path, or behaving differently after an update.

Key takeaways

• Agentic AI in healthcare is an identity governance problem because the actor can now take action inside clinical workflows, not just assist with them.
• HSCC’s guidance correctly spotlights identity management, credential control, behavioral baselines, and constrained EHR access as the controls that matter most.
• Hospitals should redesign AI oversight around unique identities, narrow workflow permissions, and rapid revocation before agent behaviour creates patient impact.

Key terms

• Agentic AI: AI that can plan and carry out multi-step work with limited human intervention. In healthcare, the important distinction is not intelligence but delegated action. Once the system can access records, trigger workflows, or move between systems, it becomes an identity governance concern as much as an AI concern.
• Constrained EHR Access: A permission model that limits an agent to specific read, suggest, or execute actions inside the electronic health record. It prevents automation from crossing into unsafe execution by separating what the system may see from what it may change, and by requiring human approval for higher-risk steps.
• Behavioral Baseline: A normal pattern of access and action for a specific identity, used to spot deviation. For AI agents, the baseline should cover records accessed, systems touched, and the sequence of steps in an approved workflow so that unexpected behaviour can be triaged quickly.
• Managed Identity: A unique, accountable identity assigned to a machine, service, or agent rather than shared across systems. It gives security teams a way to tie access to ownership, scope, and revocation, which is essential when non-human actors operate inside clinical environments.

Deepen your knowledge

Agentic AI identity governance in healthcare is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for clinical agents or other high-trust workflows, it is worth exploring.

This post draws on content published by Imprivata: agentic AI identity governance in healthcare. Read the original.