Agentic AI security exposes the identity gap in enterprise control

At a glance

What this is: Gartner’s AI TRiSM research says agentic AI security is becoming a core category because AI agents depend on non-human identities, runtime authorisation, and governance that many enterprises do not yet have.

Why it matters: IAM teams need to treat AI agents as governed identities, because the same gaps that affect service accounts, secrets, and privileged access now determine whether agentic AI can be deployed safely.

By the numbers:

• Over 60% of enterprises will secure the AI lifecycle through dedicated AI security platforms by 2030, up from less than 10% in 2025.
• AI systems will initiate 50% of all service requests by 2030, driven largely by agentic AI.
• Gartner examined 120 early-stage startups across the AI TRiSM landscape and tracked more than $1.7B in venture funding.
• 35% of senior cybersecurity leaders suspect unsanctioned use of GenAI but lack concrete visibility into where and how it is being used.

👉 Read Astrix Security's analysis of Gartner's agentic AI security findings

Context

Agentic AI security sits at the point where identity governance, runtime authorisation, and AI operations meet. The issue is no longer whether a model can answer a prompt, but whether an AI agent can initiate action, select tools, and touch systems without controls that IAM teams can actually govern.

The article frames AI agents as non-human identities that are often over-privileged, poorly inventoried, and disconnected from enterprise workflows. That makes the control problem familiar to identity teams, but the runtime behaviour is new: the decision loop now sits inside the machine, not in the approval queue.

Key questions

Q: How should security teams govern AI agents that can act across multiple systems?

A: They should govern AI agents as non-human identities with runtime policy, discovery, and audit boundaries. That means mapping each agent to its credentials, defining where it may act, and enforcing authorisation at the point of tool use rather than only at provisioning or review time.

Q: Why do AI agents complicate existing IAM models?

A: AI agents complicate IAM because they can initiate actions, choose tools, and cross trust boundaries during execution. Traditional IAM assumes access is assigned to a known subject and reviewed later, but agent behaviour can shift inside the session and exceed the original intent.

Q: What breaks when AI agent access is governed only through static entitlements?

A: Static entitlements break when the agent can make runtime decisions about what to do next. The result is an authenticated identity that is still effectively ungoverned, because the risky access decision happens inside the session and outside the review cycle.

Q: How do organisations know whether AI agent governance is working?

A: They know it is working when they can inventory every agent, trace every credential, and explain every high-risk action back to a policy decision. If an agent can access data or initiate requests without a clear control path, governance is incomplete.

Technical breakdown

Why AI agent identity becomes a control plane problem

An AI agent is not just a workload with a token. When it can initiate actions, call tools, and move across systems, identity stops being a login event and becomes a control plane question: who or what can authorise the next action, under what context, and with what auditability. That is why agentic AI security is converging with NHI governance. The same weaknesses that affect service accounts, API keys, and embedded secrets now apply to agent runtime behaviour, especially when agents are embedded in business workflows and can chain actions across multiple systems.

Practical implication: treat AI agents as governed identities with policy, session, and audit boundaries, not as ordinary automation.

Runtime authorisation is different from provisioning-time access

Traditional IAM assumes access can be granted, reviewed, and recertified before or after use. Agentic AI breaks that rhythm because the risky decision often happens inside the session, as the agent chooses when to call a tool or access data. Runtime authorisation adds contextual checks at the point of action, which is where static entitlements fall short. This matters because an agent can be technically authenticated while still being functionally ungoverned if it can exceed intended scope during execution.

Practical implication: evaluate whether access decisions can be enforced at the moment of tool use, not just at account creation or recertification.

Shadow AI and poor inventory create the same blind spots as shadow NHI

Gartner’s emphasis on discovery and governance reflects a familiar identity truth: you cannot secure what you cannot inventory. Shadow AI behaves like shadow NHI, except the runtime can be more dynamic and harder to see because the agent may be embedded in platforms, workflows, or vendor integrations. Discovery therefore has to include the agent, its attached credentials, the systems it can reach, and the policy state governing it. Without that, teams are managing a hidden identity layer rather than a controlled one.

Practical implication: build discovery that maps each agent to its credentials, permissions, and connected systems before expanding deployment.

Threat narrative

Attacker objective: The objective is to turn trusted agent access into broad operational reach that bypasses ordinary IAM oversight and control review.

1. Entry occurs when an AI agent is deployed with non-human credentials, embedded API keys, or service-account access that is not fully inventoried.
2. Credential access or abuse follows when the agent is allowed to call tools and data sources without runtime policy checks or contextual authorization.
3. Escalation happens when the agent chains actions across systems, broadening its effective scope beyond the original intent of the deployment.
4. Impact is reached when the agent can initiate service requests, expose sensitive data, or perform unauthorised actions at enterprise scale.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent security is becoming a distinct identity governance category, not a feature of model governance. Gartner’s framing is directionally correct because the control problem is about access, authority, and auditability at runtime. Once an agent can initiate actions and use tools, IAM becomes part of the AI security stack rather than a separate administrative layer. Practitioners should treat this as a governance boundary shift, not a taxonomy debate.

Runtime authorisation is the missing control when agent behaviour outpaces provisioning-time policy. The article points to a familiar enterprise failure pattern: entitlement is granted once, but risk appears during execution. That gap widens when agents can decide which tool to call and when to call it. Security teams need to recognise that access review alone does not govern a session that can mutate in real time.

Discovery and inventory remain the first discipline, because shadow AI reproduces the shadow NHI problem at machine speed. Agents, their secrets, and their connected systems must be treated as one identity surface. Without that mapping, governance becomes partial and reactive, and the organisation cannot tell whether it is scaling control or scaling blind spots. The practitioner takeaway is that inventory must cover the agent, the credential, and the control path together.

Policy-based control for AI agents is now a prerequisite for enterprise scale, not an optional guardrail. Gartner’s report reinforces that enterprise adoption will continue even where confidence is incomplete. That means organisations will keep deploying agents before their identity governance catches up. The practical conclusion is that agent access policy, runtime inspection, and audit trails have to be designed as core operational controls, not added after rollout.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing credentials.
• For lifecycle and offboarding discipline, see Ultimate Guide to NHIs for how identity controls change when machine identities persist beyond their intended use.

What this signals

AI agent governance will increasingly be judged by runtime visibility, not policy intent. The organisations that can prove which agent touched which system, and under what authority, will be able to defend their AI programmes. Those that cannot will treat agent adoption as a compliance and breach-investigation problem rather than an innovation win.

Shadow AI is becoming the new shadow NHI. As agents spread through copilots, embedded workflows, and delegated integrations, the real programme risk is not that AI exists, but that identity teams lose the map of what is acting, with what privileges, and under whose approval. That is where governance drift starts.

With 33% of organisations already reporting AI agents accessing inappropriate or sensitive data beyond their intended scope, the control priority shifts from model tuning to access containment. Teams should expect their existing review cycles to miss the moment when risk is created, because the event happens during execution, not after it.

For practitioners

• Inventory every AI agent and its attached credentials Map each agent to its service accounts, API keys, secrets, and connected systems before expanding deployment. Include embedded assistants, third-party integrations, and shadow AI discovered outside formal approval paths.
• Enforce runtime authorisation for tool use Apply policy checks at the moment an agent requests a tool, dataset, or transaction. Do not rely on provisioning-time approval alone when the agent can choose actions dynamically.
• Separate discovery from trust Discovering an agent does not mean it is safe. Require session logging, behavioural monitoring, and explicit approval boundaries for any agent that can touch sensitive data or initiate external actions.
• Review third-party and embedded agent access paths Trace every external platform, embedded workflow, and delegated integration that can extend agent reach. Remove standing access where the business case no longer justifies persistent privilege.

Key takeaways

• Agentic AI turns identity into a runtime control problem, because agents can act, select tools, and cross trust boundaries without human pacing.
• Gartner’s data shows that enterprise adoption is accelerating faster than visibility, with service requests and platform investment both moving sharply upward.
• The practical response is to govern agents as non-human identities, with discovery, runtime authorisation, and auditable policy paths.

Key terms

• Agentic AI Security: Agentic AI security is the discipline of governing AI systems that can choose actions, use tools, and operate across systems without a human making every decision. In practice, it combines identity, policy, monitoring, and audit controls so the agent’s runtime behaviour stays within approved boundaries.
• Runtime Authorisation: Runtime authorisation is the decision to allow or deny an action at the moment it is requested, rather than only at provisioning or review time. For AI agents, this matters because the risk often appears during execution, when the agent selects a tool, dataset, or downstream action.
• Shadow AI: Shadow AI is AI use that exists outside formal inventory, approval, or governance processes. It often includes embedded assistants, experimental agent workflows, and third-party integrations that security teams can’t easily see, which makes identity and access controls incomplete even when policies look mature.
• Non-Human Identity: A non-human identity is any machine-based identity used by software, workloads, bots, or AI agents to authenticate and act. These identities can carry secrets, tokens, or certificates and must be governed with ownership, scope, rotation, and offboarding discipline.

What's in the full analysis

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• Gartner’s category framing and the vendor placement rationale behind Agentic AI Security.
• The specific control capabilities Astrix says its platform applies across discovery, observability, and policy enforcement.
• Examples of how the vendor positions Zero Trust access, just-in-time credentials, and audit trails for AI agents.
• The broader market context around AI TRiSM funding and category growth.

👉 The full Astrix Security article covers Gartner's category context, control themes, and platform positioning in more detail.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents and machine credentials, it is worth exploring.