By NHI Mgmt Group Editorial TeamPublished 2025-07-30Domain: Agentic AI & NHIsSource: CYATA

TL;DR: AI agents are already performing business tasks with elevated privileges, according to CYATA, and PwC’s May 2025 survey shows 79% of companies use agents while 66% report measurable productivity gains. The real gap is not model quality but identity, access, and accountability for actors that can call tools and make decisions independently.


At a glance

What this is: This is a Cyata opinion piece arguing that agentic AI changes identity governance because AI agents now act with privileges, tools, and decision-making power.

Why it matters: It matters because IAM, PAM, and IGA programmes built for human-paced review cycles and static non-human accounts do not fully cover autonomous actor behaviour.

By the numbers:

👉 Read CYATA's analysis of agentic AI identity governance and privilege


Context

Agentic AI is software that can decide what action to take, which tool to use, and when to act without waiting for a human approval step. That makes it an identity problem as much as an AI problem, because the security question shifts from output quality to who or what is allowed to initiate real actions inside enterprise systems.

Cyata’s core argument is that existing IAM models were built around humans and static non-human identities, then stretched to cover agents after the fact. That framing is incomplete if an agent can chain actions across SaaS and local systems, because the governance failure is not just visibility but the lack of a stable identity model for decision-making software.

The article is an opinionated vendor perspective, but the blind spot it describes is real: many programmes can describe service accounts, tokens, and bots, yet still cannot explain how to govern an AI actor that behaves more like a delegated operator than a workload. That is an increasingly common gap in mature identity environments.


Key questions

Q: How should security teams govern AI agents that can take real actions in enterprise systems?

A: Treat them as identity subjects with runtime authority, not as passive automation. Define ownership, approved tool scope, logging, and revocation paths before production use. The goal is to control what the agent can do, when it can do it, and who is accountable when it does it.

Q: Why do agentic AI systems complicate traditional IAM and PAM models?

A: Because IAM and PAM were designed around human-paced approvals and static entitlement review. Agentic systems can select tools, chain actions, and complete work faster than review cycles can observe, so the governance model must shift from periodic certification to runtime control and delegation tracking.

Q: What breaks when AI agents are managed like ordinary service accounts?

A: Accountability breaks first, then scope control. A service account model assumes stable purpose and predictable usage, but an agent can decide which tools to use mid-session and expand the action path in ways a normal lifecycle process will not capture.

Q: Who is accountable when an AI agent takes an unauthorised action?

A: The organisation remains accountable, but operational responsibility should be explicit before deployment. Practitioners need a named owner, documented delegation boundaries, and a review process that records the agent’s runtime decisions, otherwise incident investigation becomes a search for missing context.


Technical breakdown

Why agentic AI changes identity governance

Traditional identity governance assumes the actor’s intent is known at provisioning time and that access is reviewed after use. Agentic AI breaks that assumption because the actor can decide in runtime what to do next, which tool to invoke, and when to continue. That means privilege is no longer just a static entitlement set. It becomes a sequence of decisions, each with its own access consequence. For IAM teams, this shifts the core control question from who owns the account to how a runtime decision path is authorised and observed.

Practical implication: Treat agent sessions as governed execution paths, not just accounts with credentials.

AI agent privilege and delegated tool access

Agents typically operate by combining an identity credential with tool access such as APIs, SaaS actions, or internal orchestration hooks. The security risk is not the credential alone, but the ability to combine multiple permitted tools into an unplanned business action. This is why agentic control planes focus on discovery, policy, and auditability at the action layer. When an agent can move from prompt to tool invocation to data access in one chain, least privilege must be evaluated across the whole chain, not tool by tool in isolation.

Practical implication: Map every tool the agent can reach and test the full action chain against business-sensitive scenarios.

Why human IAM patterns do not translate cleanly to agents

Human IAM relies on assumptions such as stable ownership, reviewable access duration, and a human operator who can be questioned after the fact. Agentic AI weakens all three. The identity may be created dynamically, the access window may be short but repeated, and the accountable human may not have made the specific runtime decision that caused the action. That is why agent governance needs identity binding, intent logging, and clear delegation boundaries in addition to ordinary access control.

Practical implication: Extend governance from account lifecycle into delegation lifecycle and runtime accountability.


Threat narrative

Attacker objective: The attacker aims to hijack trusted AI-enabled workflows so the enterprise itself executes unauthorized actions on the attacker’s behalf.

  1. Entry begins when an attacker obtains or abuses a valid NHI credential, such as an exposed API key or token used by an agent or its tooling.
  2. Escalation follows when that credential is used to invoke higher-value tools, access connected data sources, or impersonate trusted enterprise automation.
  3. Impact occurs when the attacker uses the agentic trust chain to exfiltrate data, trigger business actions, or persist inside systems under legitimate-looking access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Agentic AI is not a model governance problem first, it is an identity governance problem first. The article is right to move the discussion away from outputs and hallucinations, because the security event is the action itself. Once an AI system can choose tools and timing independently, the access decision becomes a runtime identity event, not a static policy event. IAM and PAM teams should treat agent behaviour as governed execution, not as a dressed-up workflow.

The assumption that privilege can be fully defined at provisioning time fails when the actor can decide mid-session. That assumption was designed for humans and static service accounts, where the access path is knowable before the work starts. It fails when an agent can chain new tools, change scope, and continue execution without a new human request. The implication is not just tighter controls, but a re-evaluation of what least privilege means when intent is non-deterministic.

Agentic identity introduces a new control concept: identity blast radius. A single agent credential can now reach far beyond one workload if it can combine APIs, SaaS actions, and internal data access in one runtime path. This is why visibility into the credential alone is insufficient. Practitioners need to understand how far one delegated identity can propagate action, not just whether it authenticated successfully.

Lifecycle governance for agents must be treated as a first-class discipline, not an extension of human joiner-mover-leaver logic. The article’s blind spot example from the CISO conversation is familiar because many programmes still do not know how to name, own, review, and retire agent identities. That is a governance failure, not a tooling nuance. IAM leads should assume the agent estate will grow faster than their current review model can absorb.

The market is converging on agent identity control because the gap is now visible to practitioners, not just researchers. Cyata’s framing reflects a broader category shift toward runtime governance, auditability, and delegated-action controls. The important signal is not the vendor narrative but the direction of travel: identity teams are being pulled into AI governance whether they planned for it or not. Security leaders should prepare for agent identity to sit alongside NHI and human IAM as a permanent programme area.

From our research:

  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
  • The average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations say they are confident in their secrets management capabilities.
  • That gap between control intent and operational reality is why the Ultimate Guide to NHIs , 2025 Outlook and Predictions remains useful for teams mapping governance to real-world identity sprawl.

What this signals

Agentic identity is becoming a programme-level governance problem, not a niche AI concern. Once software can select tools and execute business actions independently, the identity team has to think in terms of delegated authority, not just authentication and provisioning. That means the next control gap will be whether the organisation can explain who authorised the actor to act, not just whether the actor had an account.

Runtime visibility will matter more than static entitlement lists. A credential inventory alone will not tell you whether an agent has reached an unsafe action combination. Teams should align agent governance to the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework where autonomy is present, because control design must follow behaviour, not branding.

Identity blast radius will become a practical metric for AI adoption decisions. The question is no longer whether agents are useful, but how far one agent can propagate action across systems before a human sees the result. That is the governance lens security leaders should use when deciding whether to expand, restrict, or redesign an AI programme.


For practitioners

  • Inventory every AI actor with enterprise access Discover copilots, autonomous coding assistants, orchestration agents, and any AI system that can call internal or SaaS tools. Bind each one to an owner, a use case, and a clear business purpose before it is allowed to operate at scale.
  • Model agent access as action chains, not isolated entitlements Review the full path from identity credential to tool invocation to downstream data access. Test whether one permitted action can be combined into an unexpected business transaction, because that is where agentic privilege becomes risky.
  • Add runtime accountability to delegated access Log the agent’s decision path, tool choices, and execution timing so post-incident review can reconstruct why an action occurred. Human ownership alone is not enough if the human never approved the specific runtime step.
  • Separate stable service accounts from autonomous actors Do not treat an agent as just another service account with a prettier interface. Use distinct governance, review, and offboarding logic for AI actors because their access may change during execution rather than only at renewal.

Key takeaways

  • Agentic AI changes the security problem from controlling outputs to controlling runtime identity behaviour.
  • AI agents can amplify the impact of a single credential by chaining tools, actions, and data access faster than human review cycles can respond.
  • Security teams need runtime governance, clear ownership, and delegation boundaries if they want AI adoption without losing accountability.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on autonomous AI actor risk, tool use, and runtime authority.
OWASP Non-Human Identity Top 10NHI-01Agent identities are treated as non-human identities with credentials and delegated access.
NIST AI RMFGOVERNThe article is fundamentally about AI governance and accountability for autonomous actors.
NIST Zero Trust (SP 800-207)Runtime verification and least privilege are central to governing agent actions.
NIST CSF 2.0PR.AC-4Agentic privilege management aligns with access control and least-privilege governance.

Inventory agent identities and govern their secrets, tokens, and access scope under NHI-01.


Key terms

  • Agentic AI: Software that can choose actions, tools, and timing with a degree of runtime independence. In identity terms, this means the system behaves like a governed actor, not just a model or workflow, so access, accountability, and scope must be managed as part of the identity plane.
  • Identity Blast Radius: The maximum scope of action an identity can trigger if it is misused or over-trusted. For agentic systems, this includes the combined effect of credentials, tool access, data access, and execution timing, which can make a single delegated identity disproportionately powerful.
  • Delegation Boundary: The point where authority moves from a human or system owner to a non-human actor. In agentic environments, this boundary must be explicit because the agent may act without a new approval step, making the line between permission and misuse harder to see.
  • Runtime Governance: Controls applied while an identity is actively doing work, rather than only at provisioning or review time. For agents, runtime governance covers tool use, decision logging, action scope, and the conditions under which the system can continue or must stop.

What's in the full article

CYATA's full article covers the operational detail this post intentionally leaves for the source:

  • The vendor's reasoning on why privilege, not model quality, is the central security boundary for agentic AI.
  • The specific control-plane features Cyata describes for discovering and governing agent identities across SaaS and local environments.
  • The company’s view on how JIT access and human oversight can be applied to autonomous agents in practice.
  • The PwC survey framing and broader market adoption context behind the article's urgency.

👉 CYATA's full article covers the agentic identity blind spot, AI adoption context, and the control-plane approach described by the vendor.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org