By NHI Mgmt Group Editorial TeamPublished 2026-05-31Domain: Agentic AI & NHIsSource: Token Security

TL;DR: Agentic AI systems can plan and act independently, which makes traditional transactional IAM models too rigid for safe governance, according to Token Security’s discussion with Webflow CISO Ty Sbano and CEO Itamar Apelblat. Access control must shift toward intent-aware permissions, tighter observability, and clearer lifecycle ownership because agent behaviour can drift, overshoot, or bypass expected scope.


At a glance

What this is: This is a practitioner analysis of agentic AI permissioning, with the central finding that unpredictable agents break traditional access models built for humans and deterministic services.

Why it matters: It matters because IAM, IGA, and PAM programmes need controls that can govern autonomous decisions, not just static entitlements, across AI agents, machine identities, and human oversight.

By the numbers:

👉 Read Token Security's analysis of agentic AI permissioning and guardrails


Context

Agentic AI is software that can decide what to do next, choose tools, and execute tasks without waiting for a person to direct each step. That changes the identity problem from simple access assignment to runtime permissioning, because the actor can move across systems, data, and workflows in one continuous session.

Traditional IAM models were built for humans and deterministic services that request access in predictable ways. When an agent can chain actions, change course, and operate outside the original intent, governance has to account for autonomy, accountability, and scope drift rather than only login and entitlements.

NHIMG has long argued that identity programmes need a clearer view of non-human access as a first-class governance problem. The article's core point is typical of the current market: organisations are treating agentic AI like another automation layer when it behaves more like a decision-making identity class.


Key questions

Q: How should security teams implement policy-based permissions for AI agents?

A: Start by defining the agent's task boundary, then map the data sources, tools, and actions that are explicitly allowed inside that boundary. Use context-aware policy to narrow access by purpose, environment, and sensitivity, and require ownership plus logging so every action can be tied back to an approved decision.

Q: Why do agentic AI systems complicate traditional IAM controls?

A: They complicate IAM because the actor can choose actions at runtime rather than following a fixed, human-approved path. That breaks assumptions behind static roles, scheduled review cycles, and transaction-based approval models, especially when the same agent can move across multiple systems in one session.

Q: How do organisations know whether AI agent access is actually controlled?

A: They need to prove three things: the agent has a named owner, every action is logged with enough context to explain why it happened, and the permitted scope is narrow enough that unsafe tool chains cannot form silently. If any of those are missing, the control is not real.

Q: Who is accountable when an AI agent exceeds its intended scope?

A: Accountability should sit with the business owner of the agent, the technical team that enabled its access, and the governance function that approved its lifecycle. If ownership is ambiguous, the programme has already failed, because an autonomous actor without clear accountability cannot be governed after the fact.


Technical breakdown

Intent-based permissions for agentic AI

Agentic AI needs permissions that reflect purpose, context, and allowed outcomes rather than static role membership. RBAC is too rigid when the same agent may need different tools across different tasks, while ABAC and PBAC can express richer conditions around data sensitivity, environment, and session context. The challenge is not only granting access, but defining how far an agent may proceed once a task begins. That is why intent-aware authorisation becomes central: it constrains the decision space before the agent can fan out into unsafe tool chains.

Practical implication: define agent permissions by task scope and policy context, not by broad standing roles.

Observability, auditing, and agent accountability

Agent behaviour becomes governable only when actions are traceable to a policy decision and an owner. Logging alone is not enough if it records events without tying them to the agent's purpose, data access, and execution path. Real-time tracing helps identify unsafe chains, while audit records support post-incident review and compliance evidence. The governance gap appears when the organisation can see that an agent acted, but cannot explain why it had that path available or who is accountable for it.

Practical implication: require traceable ownership and policy-linked logs for every agent action.

Lifecycle management for agent identities

Agent identities create a lifecycle problem because they can be created quickly, forgotten easily, and left with active access long after the original use case has changed. That is a classic identity governance failure, but agentic AI makes it worse because agents may keep acting even when no human is watching them directly. Lifecycle control therefore has to cover creation, ownership, review, and retirement. The key issue is not only whether access exists, but whether anyone can prove the identity is still needed and still bounded.

Practical implication: put AI agents into the same governance workflow used for joiner, mover, and leaver decisions.


NHI Mgmt Group analysis

Agentic AI is not a variant of automation, it is a new identity governance problem. The article's core distinction is that these systems can plan, choose tools, and act without a person approving each step. That means access decisions are no longer just about who can log in, but about what an actor can decide to do next. Practitioners should treat agentic behaviour as a governance class of its own, not as a workflow shortcut.

Intent-based permissioning is the right framing because transactional IAM assumptions no longer hold. Traditional IAM was built on the idea that access is granted to a known requester for a known purpose. Agentic systems break that model by combining reasoning, tool selection, and execution at runtime. The implication is that access governance now has to describe allowed outcomes and context, not only static entitlements.

Runtime visibility becomes a control requirement, not an operational nice-to-have. The article correctly ties observability to accountability because agent actions can cascade faster than human review cycles. If logs do not show which agent accessed which data and under which policy, incident response and compliance both lose the chain of evidence. Practitioners should assume that traceability is part of the permission model itself.

Lifecycle ownership of AI agents is the hidden failure point in most early programmes. Agents that are created, tested, and then forgotten keep their access unless someone deliberately retires them. That is a familiar NHI pattern, but the scale and speed of agent creation make it more volatile. The practical conclusion is that identity lifecycle must extend to agents before usage spreads beyond governance capacity.

Assumption collapse: transactional access review was designed for actors whose privileges persist long enough to be observed and certified. That assumption fails when the actor is autonomous because it can chain actions, change course, and complete work inside a single decision loop. The implication is that the programme has to rethink review timing, not just add another review step.

From our research:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
  • For a broader governance baseline, Ultimate Guide to NHIs explains how visibility, rotation, and offboarding controls apply across service accounts, tokens, and workload identities.

What this signals

AI agent governance is moving from experimental oversight to programme-level control design. With 92% agreeing that governing AI agents is critical to enterprise security but only 44% having any policy in place, the gap is not awareness but operationalisation.

Identity blast radius: the fastest-growing risk is not a single bad action, but how far an agent can move before anyone notices. That is why IAM, IGA, and PAM teams need to treat agent permissions, traceability, and retirement as one lifecycle problem rather than separate controls.

The practical next step is to align agent governance with external control language such as the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework, then map those expectations into entitlement review, audit evidence, and incident response playbooks.


For practitioners

  • Classify AI agents as a distinct identity population Place agent identities into IAM and IGA inventories with explicit ownership, business purpose, and data access boundaries so they are not hidden inside generic automation records.
  • Define policy boundaries for agent tool use Restrict which systems, datasets, and actions each agent can reach, and express those limits in context-aware policy rather than broad standing access.
  • Tie every agent action to an accountable owner Require named business and technical owners for each agent, with escalation paths for unusual behaviour, policy exceptions, and retirement decisions.
  • Build review and retirement into the agent lifecycle Review whether each agent is still needed, still correctly scoped, and still monitored, then revoke access when the use case ends or changes.

Key takeaways

  • Agentic AI changes identity security because the subject can decide and act at runtime, not just request access through a fixed workflow.
  • The governance gap is already visible, with most organisations reporting scope-overrun behaviour but far fewer able to audit what agents touched.
  • Practitioners should move agent identities into explicit lifecycle, policy, and accountability controls before autonomy spreads beyond review capacity.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article focuses on agent autonomy, tool use, and permission boundaries.
NIST AI RMFAI governance and accountability are central to the article's control model.
NIST Zero Trust (SP 800-207)PR.AC-4The article argues for context-aware access limits and continuous verification.

Use AI RMF GOVERN and MAP functions to assign ownership and define acceptable agent behaviour.


Key terms

  • Agentic AI: AI that can decide, plan, and act independently rather than only generating content or following a fixed workflow. In identity terms, it behaves like a runtime actor with tool access, making governance depend on scope, accountability, and observability as much as on initial authentication.
  • Intent-based permissioning: A permission model that grants access according to the task an actor is meant to complete, not just a static role or long-lived entitlement. For agentic systems, this means authorisation must describe allowed outcomes, context, and boundaries well enough to constrain runtime decisions.
  • Identity lifecycle: The governance process that covers creation, review, change, and retirement of identities across humans, service accounts, and AI agents. For autonomous or non-human actors, lifecycle management is the control that prevents forgotten identities from retaining access after the original use case has ended.

What's in the full article

Token Security's full post covers the operational detail this post intentionally leaves for the source:

  • Speaker commentary from Token Security CEO Itamar Apelblat and Webflow CISO Ty Sbano on how they frame agentic AI permissions
  • Examples of how RBAC, ABAC, and PBAC differ when applied to unpredictable AI agent behaviour
  • Discussion of observability, auditing, and accountability patterns for agents that act across multiple systems
  • The article's FAQ section on prompt injection, API misuse, recursive loops, output poisoning, and multi-agent collusion

👉 Token Security's full post covers the discussion points on autonomy, permission models, and agent lifecycle control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org