By NHI Mgmt Group Editorial TeamPublished 2026-03-17Domain: Agentic AI & NHIsSource: Andromeda Security

TL;DR: Agentic AI is creating four recurring security problems for enterprises: shadow usage, data leakage, policy definition, and anomaly detection, according to Andromeda Security’s findings from more than 100 CISOs and IAM leaders. The governance gap is no longer theoretical because autonomous and delegated agents both stress privilege, lifecycle, and audit models built for human-paced access.


At a glance

What this is: This is an analysis of agentic AI identity security, showing that organisations are struggling to govern autonomous, on-behalf-of, and hybrid agents with existing IAM controls.

Why it matters: It matters because IAM, NHI, PAM, and lifecycle programmes now have to classify agent identity, constrain access at runtime, and preserve auditability across human and non-human delegation chains.

By the numbers:

👉 Read Andromeda Security's analysis of securing agentic AI identities and access


Context

Agentic AI is the point where software stops being just automated and starts acting with runtime judgement. That matters for identity because the control model changes when an agent can select actions, call tools, and pursue outcomes on its own rather than simply executing a fixed workflow.

The governance problem is not only access scope. It is also visibility into shadow AI, policy definition for what an agent may touch, lifecycle control for its secrets, and auditability when an action may have been taken by a human, a delegated agent, or a hybrid chain of both.


Key questions

Q: What breaks when security teams treat AI agents like normal user accounts?

A: Normal user-account controls assume a stable human operator, predictable activity, and a single identity behind each action. AI agents can explore boundaries, chain tools, and act faster than review cycles can catch up. The result is over-privilege, weak attribution, and access that survives long after the original task has ended.

Q: Why do AI agents complicate least privilege in enterprise environments?

A: AI agents complicate least privilege because their effective access changes with the task, the tool chain, and the delegation model. A static role cannot fully describe what an agent may do at runtime, especially when it can discover unused permissions or inherit over-broad human access. Least privilege must therefore be applied as a live control, not a one-time assignment.

Q: What do security teams get wrong about delegated AI access?

A: Teams often assume delegated access is safe because it mirrors the user’s permissions. In reality, the agent may use accidental privileges the user never intended to exercise, and long-lived tokens turn that access into persistent exposure. The mistake is treating delegation as a convenience layer instead of a lifecycle-managed identity.

Q: Who should own an AI agent’s access lifecycle?

A: The human or business owner of the agent should own its access lifecycle, including creation, review, rotation, and retirement. Without explicit ownership, agent secrets remain active after projects end and audit trails lose accountability. Lifecycle ownership is the only practical way to prevent forgotten agent access from becoming a standing backdoor.


Technical breakdown

Autonomous agents and NHI entitlement design

An autonomous agent needs its own application identities, usually service accounts or tokens, to act across systems. The security issue is not that the identity exists, but that the identity can overreach if it is granted broad standing privileges. In practice, autonomous agents explore available access more aggressively than humans do because they are built to complete goals, not to self-limit. That changes entitlement design from role assignment to task-bounded permissioning, with explicit controls around write actions, data access, and mission boundaries.

Practical implication: replace broad service roles with task-specific entitlements and require approval gates for high-risk actions.

On-behalf-of agents, OAuth tokens, and session persistence

On-behalf-of agents inherit the user’s permissions through delegated tokens, often via OAuth 2.0. The risk is that the agent can discover and use accidental privilege the human never actively exercised, especially when the user is already over-privileged. Long-lived tokens turn that delegated access into persistent exposure, because the agent connection continues after the immediate task is complete. This is a lifecycle problem as much as an access problem, because standing delegated access survives beyond the business need that created it.

Practical implication: scope delegated tokens tightly, shorten session lifetime, and revoke agent access when the task ends.

Hybrid agents and identity mashups

Hybrid agents combine their own NHI credentials with human-delegated tokens, which creates an identity mashup across systems and logs. That makes attribution difficult because one action may be the result of multiple identities and multiple trust contexts. Hybrid and sub-agent chaining also introduces recursive privilege propagation, where each downstream agent inherits part of the original authority. Traditional monitoring often misses this because it looks for a single actor and a single session, not a chain of delegated execution.

Practical implication: unify identity mapping across agent and human tokens, and cap delegation depth before sub-agents inherit more access.


Threat narrative

Attacker objective: The objective is to turn agent access into persistent, hard-to-audit access that can be abused for data exposure, unauthorised system activity, or lateral movement.

  1. Entry occurs when agents are introduced into business workflows through either autonomous service identities or delegated human credentials, often without complete discovery or ownership.
  2. Escalation happens when those agents retain broad entitlements, long-lived tokens, or downstream delegation that exceeds the original task boundary.
  3. Impact follows when the agent or sub-agent uses that access to move data, expose credentials, or trigger unauthorised actions at machine speed.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity governance assumptions built for human-paced access review collapse when the actor is autonomous. Access review was designed for privileges that persist long enough to be observed, certified, and revoked. That assumption fails when an agent can acquire, use, and discard access inside one execution cycle. The implication is that governance must stop treating review cadence as the primary control signal for autonomous behaviour.

Policy-based least privilege becomes a runtime problem, not a provisioning problem, once agentic AI enters production. The article’s split between autonomous, on-behalf-of, and hybrid agents shows that static roles are no longer enough to describe effective access. OWASP Agentic AI Top 10 and NHI governance both point to the same failure mode: broad permission sets become exploitable the moment an agent actively searches for usable paths. Practitioners need to think in terms of mission boundaries, not just assigned permissions.

Credential persistence is the real lifecycle failure mode in on-behalf-of agent deployments. The article correctly identifies long-lived tokens and manual revocation as the weak point, because the business fear is operational disruption, not technical impossibility. That is a familiar NHI problem in a new form: access survives because retirement is expensive. The practical implication is that lifecycle ownership must extend to agent-issued secrets and delegated tokens, not just human accounts.

Hybrid agents create an identity mashup that current audit models are not built to resolve. When one workflow spans NHI credentials, delegated human tokens, and sub-agent execution, accountability becomes fragmented across multiple trust boundaries. That is not simply a logging issue. It is a governance model issue because policy enforcement depends on knowing which identity actually exercised the action. Practitioners should treat chain-of-command visibility as a control objective, not a forensic nice-to-have.

Shadow AI is an identity discovery problem before it is a threat-detection problem. If organisations cannot enumerate where agents are created, who owns them, and what credentials they use, anomaly detection arrives too late. The post’s strongest contribution is that it links visibility, policy, and lifecycle into one operational model. Teams that separate those functions will continue to miss the same agent from discovery through retirement.

From our research:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
  • That visibility gap is why practitioners should also review OWASP Agentic AI Top 10 alongside identity governance and lifecycle controls.

What this signals

Runtime governance is becoming the deciding variable for agentic AI programmes. If an agent can act independently, then the organisation must be able to prove what it touched, what it was allowed to touch, and who owns the access lifecycle. That shifts the programme from static provisioning toward continuous authorisation, auditability, and retirement discipline.

With 98% of companies planning to deploy even more AI agents in the next 12 months, the operational assumption should be growth, not containment. Security teams that do not build ownership, logging, and delegated token control now will inherit a larger blind spot later, especially where hybrid workflows blur the human and machine boundary.

Identity mashup is the named concept that programme owners need to watch. When one process blends autonomous credentials, user tokens, and sub-agent delegation, neither traditional IAM nor standard SaaS logging gives a clean answer on accountability. Practitioners should align policy, audit, and lifecycle controls around the chain of execution rather than the individual login event.


For practitioners

  • Inventory every agent identity and owner Map where autonomous, on-behalf-of, and hybrid agents are created, which systems they touch, and which human owner is accountable for each lifecycle. Include agent-issued tokens, service accounts, and delegated sessions in the same register.
  • Replace standing access with task-bounded entitlements Scope each agent to the smallest set of APIs, datasets, and actions needed for a specific mission. Remove broad write access by default and require contextual approval for bulk exports, credential access, or other high-impact operations.
  • Shorten delegated token lifetime and revoke aggressively Eliminate persistent on-behalf-of connections by using short-lived delegated tokens tied to active work. When an agent is retired, offboard it as if it were a production application, including revocation of cached secrets and OAuth grants.
  • Build audit trails that preserve identity chain-of-command Ensure logs distinguish human action, autonomous agent action, and sub-agent action so security teams can reconstruct who initiated what, through which identity, and under which delegation path.

Key takeaways

  • Agentic AI breaks the assumption that access is stable enough to review after the fact.
  • The evidence points to a growing blind spot, with most organisations still unable to audit AI agent data access end to end.
  • Teams need runtime entitlements, short-lived delegation, and chain-of-command logging before agent adoption scales further.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AA-03Agent goal hijack and tool misuse map directly to autonomous and hybrid agent risks.
OWASP Non-Human Identity Top 10NHI-03Long-lived secrets and over-broad service accounts are central to on-behalf-of and autonomous agents.
NIST CSF 2.0PR.AA-01Identity governance and auditability are central to agentic access control and traceability.

Inventory agent identities, rotate secrets aggressively, and remove standing privileges wherever possible.


Key terms

  • Agentic AI: Software that can decide and execute actions at runtime to reach a goal, rather than only following a fixed script. In identity terms, the key issue is that access may be exercised independently, which makes entitlement design, logging, and accountability materially harder than for ordinary automation.
  • On-Behalf-Of Agent: An AI agent that acts using a human user’s delegated permissions, usually through OAuth tokens or similar credentials. The user remains the nominal identity owner, but the agent can explore and use available access more aggressively than the person might, creating a lifecycle and audit challenge.
  • Identity Mashup: A mixed execution pattern where one workflow uses both autonomous machine credentials and human-delegated tokens. The problem is not just multiple identities, but the loss of clear attribution when actions travel across several trust contexts and logging systems at once.
  • Shadow AI: AI agents or AI-enabled workflows that exist outside formal inventory, ownership, or governance. In practice, shadow AI becomes an identity problem first because unknown agents usually mean unknown credentials, unknown access paths, and unknown lifecycle responsibility.

What's in the full article

Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:

  • Practical examples of autonomous, on-behalf-of, and hybrid agent patterns across enterprise workflows.
  • Detailed guidance on policy controls for task-specific access, delegated scopes, and behavioural guardrails.
  • Implementation ideas for lifecycle management of agent secrets, OAuth tokens, and human owner assignment.
  • Examples of how chained identity auditing can separate human action from agent action in logs.

👉 The full Andromeda Security article expands on agent deployment models, policy controls, and lifecycle risks for AI agents.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org