Agentic AI security is redefining identity, trust, and governance

At a glance

What this is: This is an analysis of agentic AI security and the governance changes required when autonomous systems start acting as enterprise identities.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern systems that initiate actions, consume credentials, and create accountability gaps alongside human and machine identities.

By the numbers:

• 69% of cybersecurity professionals said AI-based vulnerabilities will pose a greater threat to their organization’s identity and security systems than human misuse of AI in the coming year.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.

👉 Read Keyfactor's analysis of agentic AI security and digital trust

Context

Agentic AI security is the discipline of establishing identity, accountability, and trust for AI systems that can initiate actions without direct human prompting. The core problem is not automation alone. It is that the system is beginning to behave like an identity with agency, which places pressure on IAM, NHI, and governance models that were designed around human request flows or predefined machine execution.

Keyfactor frames the issue around digital trust: as AI agents access systems, modify data, and trigger workflows, they expand the enterprise attack surface while complicating oversight. The practical question for security teams is whether existing identity controls can still define who or what is allowed to act when the actor can decide to act at runtime.

The article's starting position is typical of many enterprises now adopting AI assistants and workflows before they have governance patterns for machine-speed decision-making. That makes the problem broadly relevant rather than unusual.

Key questions

Q: How should security teams govern AI agents that can act independently?

A: Security teams should treat AI agents as identities with owner, purpose, and access boundaries, then enforce task-scoped permissions, audit trails, and revocation paths. Governance must cover onboarding, certification, and offboarding, because autonomous behaviour creates risk during execution, not only at provisioning. If an agent can initiate actions, it needs controls that measure and constrain live behaviour, not just static entitlements.

Q: Why do autonomous AI agents create new IAM and NHI risk?

A: Autonomous agents create risk because they can select actions and trigger workflows at runtime, which breaks the assumption that access can be fully understood at provisioning time. That makes least privilege harder to define, review cycles less effective, and attribution more difficult. The issue is not the presence of AI alone, but the combination of identity, agency, and machine-speed execution.

Q: What breaks when AI agent access is reviewed like human access?

A: Human access reviews assume an operator, a stable role, and a reviewable duration of privilege. Those assumptions weaken when an agent can take multiple actions between review points, inherit access through chained workflows, or change scope during a session. The result is a governance blind spot where certification may say access is approved while behaviour has already moved beyond intent.

Q: Who is accountable when an AI agent causes a security incident?

A: Accountability should sit with the business owner of the agent, the platform owner that enabled it, and the security team that approved the control model. For regulated environments, evidence must show who owned the agent, what it was allowed to do, and whether revocation and audit trails were in place. Without that, attribution becomes guesswork after the fact.

Technical breakdown

Why autonomous AI changes identity and trust assumptions

Traditional automation executes a predefined script, while agentic AI can choose actions, continue operating, and interact across environments without a human in the loop. That difference matters because identity controls assume the actor can be described at provisioning time and reviewed later. Once an AI agent can initiate work, select actions, and trigger downstream systems, the trust model shifts from static entitlement management to runtime accountability. The governance challenge is not just access assignment. It is proving which identity performed which action, under what policy, and with what evidence of intent or constraint.

Practical implication: security teams need identity records and audit trails that capture agent behaviour, not just credential issuance.

Least privilege for AI agents and machine-speed workflows

Least privilege becomes harder when a system can move from one task to another without a predictable approval rhythm. In agentic environments, privilege must be scoped to the task, the tool, and the moment of use, because standing permissions can become overbroad as soon as the agent changes context. This is why built-in identity, observability, and cryptographic assurance matter together. If the actor can act continuously, security cannot rely on occasional reviews to catch misuse after the fact. The control plane has to limit what the agent can reach before execution begins and what it can chain into next.

Practical implication: define task-scoped entitlements and monitor for tool or data access that extends beyond the approved workflow.

How governance differs when AI agents become trusted entities

Treating AI agents as trusted entities means placing them inside the same governance model used for people, workloads, and service identities, but with tighter runtime assumptions. Human oversight still matters, yet human-in-command governance is not enough on its own if the agent can act at machine speed between reviews. That creates a lifecycle problem as much as a security problem: onboarding, offboarding, access certification, and revocation all need to account for non-human actors that can persist, spawn other agents, or inherit access through chained workflows. The governance model has to follow the behaviour, not the brand of the system.

Practical implication: extend lifecycle governance to AI agents so access, ownership, and revocation are explicit and machine-readable.

Threat narrative

Attacker objective: The attacker aims to hijack or misuse the agent's legitimate trust to reach systems and data that would otherwise remain protected.

1. Entry begins when an autonomous AI agent is granted legitimate access to systems, data, and tools so it can operate inside business workflows.
2. Escalation occurs when the agent is allowed to chain actions, expand scope, or trigger infrastructure changes beyond the original human intent.
3. Impact follows when the agent is spoofed, manipulated, or over-authorised, causing unintended data exposure, system changes, or cascaded trust failure.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI security is now an identity governance problem, not just an AI safety problem. The article makes clear that autonomous systems are beginning to initiate workflows, access systems, and modify data without direct prompting. That moves the control question from content safety to identity assurance, because the enterprise now has to decide what an AI actor is allowed to do and how that action is attributed. Practitioners should treat agentic AI as part of the IAM, PAM, and NHI perimeter, not a sidecar to it.

Least privilege was designed for actors whose intent is knowable before execution begins. That assumption fails when the actor is autonomous because the agent can select actions, chain tools, and continue operating at runtime without a human approval gate. The implication is not merely that permissions should be tighter. It is that provisioning-time entitlement models no longer fully describe the risk, so governance has to account for non-deterministic action paths.

Identity accountability breaks down when agent behaviour can outpace human review cycles. The article’s emphasis on machine-speed operation highlights a growing control mismatch: human oversight remains important, but it cannot be the only mechanism that constrains action. In practice, that means traceability, observability, and explicit ownership become the minimum bar for credible agent governance.

Runtime agent governance gap: this is the failure mode the article reveals, where policies exist for access assignment but not for live decision-making, scope change, and downstream delegation. That gap is already visible in organisations that deploy AI faster than they define revocation, certification, and audit paths. Practitioners should read this as a signal that governance must move from static approval to continuous behavioural control.

The market is converging on digital trust for autonomous systems. The article’s framing around cryptographic foundations, built-in identity, and observability shows where the category is heading. Security teams will increasingly be judged on whether they can prove an agent’s identity, limit its blast radius, and retain evidence after the fact. The field is moving from AI experimentation to trust engineering, and that shifts the buyer conversation toward controls rather than capability claims.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why practitioners should also read OWASP Agentic AI Top 10 for a control-oriented view of runtime risk.

What this signals

Runtime agent governance gap: enterprises are deploying autonomous systems faster than they are defining the ownership, certification, and revocation model those systems require. The practical signal is that identity teams should expect AI agents to move into mainstream IAM workflows before policy frameworks are fully mature, which increases the value of explicit control ownership and audit-ready logs.

The governance pressure is broader than AI security alone. Once agents can access systems and trigger downstream workflows, IAM, PAM, and lifecycle teams inherit the same responsibility they already carry for human and machine identities, but with shorter decision windows and less predictable behaviour. That is why agent controls need to be built into identity programmes now rather than added as an exception later.

With 80% of organisations already reporting agents that act beyond intended scope, the programme risk is not hypothetical. Teams should prepare for more frequent reviews of privilege boundaries, clearer business ownership of each agent, and evidence that access can be removed as quickly as it is granted.

For practitioners

• Define AI agent identities explicitly Assign each agent a distinct identity, owner, and purpose record so entitlements can be traced back to a business function and revoked cleanly when the workflow changes.
• Scope permissions to the task and tool Limit each agent to the smallest set of systems, APIs, and data paths needed for one workflow, then remove standing access that would let it pivot into unrelated actions.
• Instrument agent activity for audit and containment Log prompts, tool calls, data access, and action sequences in a way that supports later investigation and immediate containment when behaviour diverges from policy.
• Extend lifecycle controls to autonomous actors Build onboarding, certification, and offboarding steps for AI agents so access ownership, review cadence, and revocation are machine-readable rather than informal.
• Test for scope drift before production release Run abuse cases that check whether the agent can expand beyond its intended workflow, call unauthorised tools, or inherit privileges through chained actions.

Key takeaways

• Agentic AI security is fundamentally an identity governance issue because autonomous systems can initiate actions, access data, and alter state without direct human prompting.
• The biggest control problem is not that AI agents exist, but that many enterprises are deploying them faster than they can audit, scope, and revoke their access.
• Security teams should move from static entitlement thinking to runtime behavioural control, with explicit ownership, traceability, and lifecycle management for every agent.

Key terms

• Agentic AI Security: Agentic AI security is the discipline of governing AI systems that can choose actions, invoke tools, and continue work without direct human prompting. It combines identity, access, auditability, and trust controls so autonomous behaviour remains attributable and constrained within enterprise policy.
• Runtime Governance: Runtime governance is the control of behaviour while a system is executing, not just when it is configured or approved. For AI agents, it means monitoring decisions, tool use, and downstream effects in real time so privilege, scope, and accountability can be enforced during action.
• Identity Accountability: Identity accountability is the ability to prove which identity performed which action, under what authority, and with what oversight. In agentic environments, it requires machine-readable ownership, audit logs, and revocation paths because autonomous systems can act too quickly for informal tracing.
• Task-Scoped Access: Task-scoped access is permission limited to a specific objective, tool set, and execution window. For autonomous agents, it is more precise than broad role assignment because the agent’s intent can change at runtime, increasing the risk of scope drift and unintended downstream action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: What Is Agentic AI Security? Governing Autonomous AI in the Enterprise. Read the original.