Agentic AI security risks are outpacing existing IAM controls

At a glance

What this is: This is an independent analysis of agentic AI and how autonomous planning, tool use, and execution change identity security assumptions.

Why it matters: It matters because security teams now have to govern AI agents alongside NHI, PAM, and human identity controls without assuming deterministic workflows or stable approval points.

👉 Read Lasso Security's guide to agentic AI security risks, use cases, and controls

Context

Agentic AI is software that can decide what to do next, pick tools, and execute across systems from a high-level goal. That changes the identity problem because access is no longer limited to a fixed workflow or a human-paced request cycle, which is why existing IAM controls can miss what an agent does in runtime.

For identity programmes, the key issue is not AI novelty but governance shape. Once an agent can plan, adapt, and act with minimal oversight, teams need to think in terms of identity, privilege, auditability, and blast radius across NHI and autonomous workloads rather than only prompts or model quality. See the OWASP Agentic AI Top 10 for the threat model lens and the Ultimate Guide to NHIs for baseline machine identity governance.

Key questions

Q: What breaks when an AI agent can choose its own tools and next steps?

A: Static access reviews and pre-approved workflows break first, because they assume the actor will stay within a known sequence of actions. An autonomous agent can shift tools and timing at runtime, so governance based only on provisioning-time scope will miss the true access path. Security teams need action-level visibility, not just role assignment.

Q: Why do AI agents complicate least privilege and access reviews?

A: Least privilege is harder to define when the actor can change its own execution path mid-session. Access reviews also lose precision if the agent acquires and uses permissions too quickly for periodic certification to capture. The practical response is to govern the actual tool and data paths, not just the nominal role.

Q: How do security teams know whether an AI agent is staying within its intended scope?

A: They need evidence that the agent only calls approved tools, reaches approved data, and completes approved actions. If the agent can access sensitive systems or reuse context beyond the task boundary, the programme is not observing actual scope. Monitoring should compare intended task scope with executed behaviour, not just success rates.

Q: Who is accountable when an AI agent causes unauthorized access or data exposure?

A: Accountability should sit with the programme that granted the agent its identity, credentials, and delegation rights, because the agent is executing through those controls. In practice, that means IAM, platform, and application owners all need a shared ownership model for agent behaviour, evidence, and remediation.

Technical breakdown

Agent loops and runtime tool selection

Agentic systems use a perception-action loop: they take a goal, break it into subtasks, choose tools, inspect results, and then decide the next step. That is materially different from static automation because the sequence is not fully predetermined at design time. The security consequence is that the identity boundary moves from a single API call to a chain of contextual decisions spanning memory, tools, and execution state. Access controls therefore need to account for runtime intent, not just initial authentication.

Practical implication: Model each tool call as a separate identity event and verify that the agent is entitled to the specific action, not just the parent session.

Why agent memory changes the attack surface

Memory gives an agent continuity across interactions, which improves usefulness but also creates a persistent control plane for behaviour. Short-term and long-term memory can retain user context, prior outputs, and inferred strategies, so a poisoned or manipulated memory store can steer later actions without changing the model itself. This is why agentic risk is not only about prompt injection. It is also about the integrity of the state the agent uses when it decides what to do next.

Practical implication: Treat memory stores as governed security assets, with lineage, validation, and rollback capabilities comparable to other high-value identity state.

Privilege escalation through delegated execution

When an agent can invoke APIs, send emails, query databases, or trigger workflows, it inherits the privilege model of every connected system. If those permissions are broad, the agent can move from legitimate assistance into unauthorized action very quickly. The article's risk table points to scoped API keys, identity binding, and least privilege as the core controls, which is the correct direction: the problem is not that agents are powerful, but that their authority is often wider than their task scope. That mismatch is where escalation starts.

Practical implication: Review every delegated permission path for over-broad access, and bind each agent to narrowly scoped credentials and explicit action boundaries.

Threat narrative

Attacker objective: The attacker wants the agent to execute harmful or unauthorized actions while appearing to operate within normal business automation.

1. Entry occurs when an attacker manipulates or misconfigures an agent's prompt, memory, or delegated tool context so the system accepts a malicious task path.
2. Escalation follows when the agent uses broad API access, inherited roles, or connected workflows to take actions beyond the original user intent.
3. Impact appears as unauthorized data access, unsafe transactions, or lateral movement across enterprise systems driven by the agent's own execution chain.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI turns identity from a provisioning problem into a runtime control problem. The article describes systems that plan, select tools, and act across enterprise environments with minimal human intervention. That behaviour means access can no longer be assumed to stay within the boundaries defined at issuance, which is why NHI governance has to move from static entitlements to observed execution paths. Practitioners should treat each agent as an identity that can change its own privilege posture mid-session.

Least privilege was designed for actors whose intent is known before execution begins. That assumption fails when the actor is autonomous because the sequence of actions, tools, and timing is decided at runtime. In other words, provisioning-time scope no longer fully describes the security state of the actor. The implication is that identity governance must be rethought around dynamic decision authority, not only around access assignment.

Memory and tool access create an identity blast radius that traditional IAM reports do not show. The article's architecture shows that a single agent decision can cascade through APIs, workflows, and stored context. That makes auditability and containment more important than raw model capability. Practitioners should view agent governance as a chain-of-custody problem for actions, not just credentials.

Agentic AI governance will converge with NHI governance faster than many programmes expect. The same controls that matter for workload identity, scoped secrets, and privileged delegation become the baseline for agents that can act independently. The difference is that agents can also select the path they take through those controls. Security teams should align agent oversight with OWASP Agentic AI Top 10 and OWASP-NHI thinking rather than treating this as a separate niche.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• OWASP Agentic AI Top 10 gives practitioners a control lens for the behaviours highlighted in this post.

What this signals

Scope drift is the concept that matters most here: once an agent can alter its own action path, the control problem shifts from access assignment to execution containment. That means programme owners should expect their current IAM reporting to understate real exposure, especially where agent permissions are inherited from human workflows.

With 92% of organisations agreeing that governing AI agents is critical but only 44% having implemented policies, according to the AI Agents: The New Attack Surface report, the gap is not awareness. The gap is operationalisation, and it will show up first in tooling, telemetry, and ownership.

Security teams should prepare for agent oversight to merge with NHI governance and zero-trust design. If identity teams cannot answer which tools an agent may use, which data it may touch, and who can revoke that authority, the programme is not ready for production autonomy.

For practitioners

• Define agent identity boundaries Assign each agent a discrete identity, map every connected tool, and document exactly which actions are allowed under that identity. Use the policy document as the source of truth for runtime enforcement, not the model prompt.
• Scope credentials to task boundaries Replace broad reusable access with narrowly scoped credentials tied to a single function, workflow, or environment. Reassess whether any agent can reach production systems without a clearly justified business need.
• Instrument action-level audit trails Log goal, tool call, response, and follow-on decision as separate events so reviewers can reconstruct the agent's full execution path. Without that trace, containment and investigation become guesswork.
• Test for scope drift and tool misuse Red team the agent with malformed objectives, conflicting context, and deceptive inputs to see whether it expands beyond intended permissions. Validate not only output quality but also whether the agent stays inside its approved action set.

Key takeaways

• Agentic AI changes the identity problem because runtime decisions now determine the real access path, not just provisioning-time entitlements.
• Evidence from NHIMG research shows that agent scope drift is already common, so governance delays translate directly into exposure.
• The control answer is not more model output review, but tighter identity binding, action-level auditability, and task-scoped delegation.

Key terms

• Agentic AI: AI systems that can plan, choose tools, and take actions toward a goal with limited human intervention. In identity terms, that means the system behaves like an actor with delegated authority, so governance must cover runtime decisions, access boundaries, and evidence trails, not just model output quality.
• Agent identity: The identity assigned to an autonomous AI system so it can authenticate, access tools, and act within approved boundaries. For agents, identity is not just a login mechanism. It is the control surface that defines what the system can do, where it can do it, and who can revoke it.
• Scope drift: A mismatch between the permissions an AI agent was meant to use and the actions it actually takes at runtime. In autonomous environments, scope can widen through tool chaining, context changes, or delegated workflows, so the real control question is whether execution stays inside the approved task boundary.
• Delegated execution: A pattern where one identity is allowed to act on behalf of another through APIs, workflows, or connected tools. In agentic systems, delegated execution becomes a security issue when the delegated actor can change its own path, because the original approval no longer fully describes the action chain.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Lasso Security: What is Agentic AI? Benefits, Security Risks & Use Cases. Read the original.