Agentic AI security policy is lagging the lifecycle reality

At a glance

What this is: This is an analyst post arguing that agentic AI security has become a mainstream policy problem, with current government frameworks still too fragmented to govern the full agent lifecycle.

Why it matters: It matters because IAM, IGA, PAM, and security architecture teams will be asked to govern autonomous agents in the same environments where human and NHI controls already struggle with scope, lifecycle, and accountability.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

👉 Read Zenity's analysis of agentic AI security policy gaps after RSA 2026

Context

Agentic AI security is the emerging identity governance problem behind the policy debate. Once an AI agent can choose actions, select tools, and execute without human approval, existing controls built for static access reviews and predeclared permissions no longer describe the real behaviour of the actor. That is why the primary keyword here is agentic AI security, not generic AI risk.

Zenity's analysis points to a widening gap between deployment speed and governance maturity across cloud, endpoint, and homegrown environments. The article argues that governments are still treating the problem as fragmented initiatives rather than a lifecycle issue, even as critical infrastructure sectors begin adopting agentic systems on a months-long timeline.

The practical identity question is simple: which programme owns the agent when its behaviour crosses from configuration into runtime decision-making? That question cuts across NHI governance, zero trust, and lifecycle management, because the same identity may need provisioning, monitoring, review, and offboarding logic that human IAM models never had to express.

Key questions

Q: How should organisations govern agentic AI security across the full lifecycle?

A: Organisations should treat agentic AI security as a lifecycle governance issue, not a point control problem. That means defining ownership from provisioning through runtime monitoring, review, and retirement. The practical test is whether the programme can explain who is accountable for the agent at every stage, including when behaviour changes after deployment.

Q: Why do traditional IAM controls struggle with autonomous AI agents?

A: Traditional IAM controls struggle because they assume stable permissions, stable intent, and a human-paced review cycle. Autonomous agents can change actions at runtime, combine tools dynamically, and complete work before a review ever occurs. The result is a control model that sees the grant, but not the behaviour that follows it.

Q: What breaks when agent-to-agent discovery is left implicit?

A: Implicit discovery breaks trust because one agent may inherit context or delegate work without a clear authentication and authorisation boundary. That creates hidden propagation paths across systems and makes it difficult to prove who initiated the action chain. Teams need explicit trust rules before they allow agent interactions to scale.

Q: Who is accountable when an AI agent crosses into risky behaviour?

A: Accountability should sit with the team that owns the agent lifecycle and the policy domain that allowed the behaviour. If responsibility is split between platform, security, and business teams without a named owner, incidents become ungovernable. Regulatory and audit expectations increasingly favour clear operational accountability over informal shared ownership.

Technical breakdown

Why agentic AI security cannot be treated as static access control

Agentic AI security fails when organisations treat an autonomous system like a conventional workload identity. A workload can be given a fixed role, but an agent can alter its actions mid-session, combine tools dynamically, and generate new execution paths from the same starting permissions. That creates a runtime governance problem, not just an authorisation problem. Static policy cannot fully describe what the agent will do after it begins interacting with tools, memory, and external systems. Practical implication: governance models must distinguish between provisioned permissions and emergent runtime behaviour.

Practical implication: separate static entitlements from runtime behaviour monitoring, because provisioning alone does not bound an agent's action path.

Agent-to-agent discovery and trust are new identity surfaces

When agents discover and authenticate to one another, identity stops being a single system boundary and becomes a trust network. Traditional federation assumes known parties, stable trust anchors, and human-defined integration patterns. Agent-to-agent exchange introduces a more fluid model where one agent may need to validate another's authority, provenance, and scope before sharing context or delegating work. That makes discovery, authentication, and trust establishment part of the attack surface, not just the integration layer. Practical implication: teams need explicit trust boundaries for agent interaction, not implicit allow-listing through tool access.

Practical implication: define trust boundaries for agent interactions before allowing agents to call or delegate to other agents.

Dynamic policy evolution is the missing governance layer

Dynamic policy evolution is the idea that governance rules must change as agent capability, context, and risk change. Static controls assume a stable subject and a stable purpose, but agentic systems may adjust goals, switch tools, and continue executing after the original reason for access has shifted. That breaks the assumption that policy can be approved once and reviewed later. The governance model has to account for changing intent, not just changing entitlements. Practical implication: policy teams should treat agent behaviour as a moving governance target, not a one-time configuration.

Practical implication: build policy processes that can react to changing agent context, because the risk posture is not fixed at provisioning time.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI security is becoming an identity governance problem before it becomes a compliance problem. The article shows policy lag across governments, but the deeper issue is that the actor itself is changing faster than governance templates can absorb. When autonomy enters the runtime, the security question shifts from who may access a system to what the system may decide to do next. Practitioner conclusion: treat agentic AI as a new governance class, not a feature extension of workload IAM.

Static entitlement models are already insufficient for autonomous agents. The post describes agents moving across cloud, endpoint, and homegrown environments, which means no single control plane can assume fixed behaviour or fixed context. That is why lifecycle governance must encompass provisioning, monitoring, review, and offboarding as one continuous model. Practitioner conclusion: if your programme only certifies access, it is not governing the agent.

Access review is an assumption built for access that persists long enough to be reviewed. That assumption fails when the actor is autonomous because the agent can acquire, use, and discard privilege inside a single execution cycle. The implication is not merely to add a new control, but to rethink whether review cadences can observe the behaviour at all. Practitioner conclusion: review-based governance does not map cleanly to runtime agentic decision loops.

Policy fragmentation is now a category risk, not just a regulatory inconvenience. The article's central warning is that individual initiatives around testing, monitoring, or deployment do not add up to a lifecycle-spanning framework. That leaves practitioners to stitch together governance across agent creation, interaction, and retirement without a shared model. Practitioner conclusion: programmes should judge any control by whether it fits the full agent lifecycle, not by whether it covers one stage well.

Agentic AI will force identity teams to connect human governance, NHI controls, and autonomous behaviour in one operating model. The field cannot afford separate rulebooks for each actor type when the same infrastructure hosts all three. The most useful standards will be the ones that translate between lifecycle review, trust establishment, and runtime policy. Practitioner conclusion: identity architecture now needs cross-actor governance, not isolated control domains.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For the lifecycle angle, see NHI Lifecycle Management Guide for how provisioning, review, and offboarding need to be joined up.

What this signals

Agentic AI security now sits at the point where policy lag becomes architectural risk. The reader's programme will be judged less on whether it has a policy statement and more on whether it can govern runtime decisions across environments. If your controls only work once access is granted, they will miss the behaviour that matters most.

Identity teams should expect cross-actor governance to become the norm. Human IAM, NHI controls, and autonomous-agent oversight are converging on the same infrastructure, which means separate governance lanes will create duplication and blind spots. The operational answer is a single operating model with actor-specific rules, not three disconnected programmes.

Policy teams should prepare for a new class of runtime accountability artefact. The next maturity step is not more documentation, but evidence that the organisation can explain what an agent did, why it did it, and who owned the decision boundary. That will become central to audit readiness and incident review.

For practitioners

• Map the full agent lifecycle Document provisioning, runtime operation, monitoring, review, and offboarding for every agent class, including homegrown and third-party deployments. If a step is missing, the governance model is incomplete.
• Separate entitlement from behaviour controls Use one control set for granted permissions and another for runtime actions, tool calls, and cross-system delegation. Do not assume a role definition can predict the agent's next move.
• Define agent-to-agent trust boundaries Require explicit authentication and scope validation before one agent can pass context or delegate work to another. This prevents implicit trust from becoming an unmanaged access path.
• Align policy owners across security and governance teams Assign clear ownership for AI agent risk across security, compliance, legal, and platform teams so that policy does not fragment by environment or use case.

Key takeaways

• Agentic AI security is no longer a niche technical issue, because policy gaps are colliding with autonomous runtime behaviour.
• The evidence points to a serious governance deficit, with government initiatives still fragmented while enterprise adoption accelerates.
• The practical response is lifecycle-based governance that ties ownership, runtime control, and accountability together across all environments.

Key terms

• Agentic AI security: The governance and control of AI systems that can choose actions, select tools, and execute without a human approval gate. In practice, it combines identity, access, monitoring, and lifecycle controls because the risk is not only what the system can reach, but what it decides to do at runtime.
• Agent-to-agent trust: The rules that determine whether one AI agent can authenticate, delegate, or share context with another. This is an identity problem as much as an integration problem, because uncontrolled trust propagation can create hidden access paths and make accountability harder to prove.
• Dynamic policy evolution: A governance model in which access and behaviour rules change as the agent's context, capability, or risk profile changes. Static approval models assume the subject stays stable, but agentic systems can shift intent and action mid-session, so policy must account for runtime change.
• Lifecycle-based governance: An identity governance approach that covers creation, operation, review, and removal as one continuous chain. For agents, lifecycle-based governance matters because access decisions, runtime behaviour, and accountability are linked, and a gap at any stage weakens the entire control model.

Deepen your knowledge

Agentic AI security and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for autonomous agents in mixed human and machine environments, it is worth exploring.

This post draws on content published by Zenity: RSA and DC Dispatches: Agentic AI Security Is the Story, Government Policy Needs to Catch Up. Read the original.