Agentic identities are moving into the enterprise security control plane

At a glance

What this is: Gartner’s radar treats Agentic Identities as a near-term, high-impact security category that forces AI agents into the identity governance model.

Why it matters: IAM teams must treat agent identities as governed principals, because autonomy changes provisioning, auditability, privilege scope, and accountability across NHI, autonomous, and human programmes.

By the numbers:

• Gartner research projects 40% of enterprise apps will integrate task-specific AI agents by 2026.
• 61% of organizations are already piloting or scaling AI agents.
• Gartner predicts at least 15% of day-to-day work decisions will be made autonomously through agentic AI by 2028, up from 0% in 2024.
• 33% of enterprise software applications will include agentic AI by 2028, up from less than 1% in 2024.

👉 Read Astrix Security's analysis of agentic identities and enterprise attack surface

Context

Agentic identities are the identities assigned to AI agents that can act on behalf of users or systems. The governance gap is that most enterprise IAM and NHI programmes still assume a principal is either a human or a static machine identity, not a runtime actor that can decide, request, and chain actions dynamically.

Gartner’s framing pushes this from experimentation into operating model change. Once agents are treated as governed principals, identity becomes the control plane for what they can access, when they can act, and how their behaviour is audited across SaaS, cloud, and internal systems.

That matters because agent adoption is moving faster than many access governance programmes can classify it. The starting point for most organisations is still typical: they have controls for service accounts and for humans, but not yet for identities that combine delegation, autonomy, and short-lived task execution.

Key questions

Q: How should security teams govern AI agent identities in enterprise environments?

A: Security teams should govern AI agent identities as first-class principals with explicit ownership, scope, expiry, and audit trails. The practical baseline is to combine least privilege, just-in-time access, lifecycle revocation, and behavioural monitoring so the agent cannot accumulate durable access that outlives its task or business purpose.

Q: Why do AI agents force a rethink of existing IAM controls?

A: AI agents force a rethink because many IAM controls assume access is stable long enough to be reviewed, recertified, and revoked on a human schedule. Agent behaviour is runtime-driven, so privilege can change faster than governance cycles can observe it. That makes static entitlement models incomplete for agentic work.

Q: What breaks when AI agents are treated like ordinary service accounts?

A: What breaks is accountability for delegated behaviour. Ordinary service accounts usually have fixed, known functions, while AI agents can choose tools and action paths at runtime. If teams treat them the same, they miss scope drift, hidden delegation chains, and task changes that should trigger re-approval or revocation.

Q: What frameworks should teams use to assess agentic identity risk?

A: Teams should map agentic identity risk to OWASP-NHI for non-human identity controls, ZT-NIST-207 for zero-trust access boundaries, and NIST-CSF for governance and monitoring. Those frameworks help teams translate agent behaviour into ownership, access, detection, and response requirements without reducing the problem to a single tool decision.

Technical breakdown

Agentic identities as governed principals

An agentic identity is a unique, verifiable identity assigned to an AI agent so its actions can be authorised, logged, and constrained like any other principal. The key technical shift is that the identity is not just authenticating to a tool. It is carrying delegated authority across a workflow, often across multiple systems and with changing context. That creates a control problem for IAM because static entitlements do not describe runtime behaviour well enough. In practice, the identity layer must represent scope, time, and purpose together, or the resulting audit trail will be incomplete.

Practical implication: classify AI agents as first-class principals and tie each to explicit scopes, expiry, and audit ownership.

JIT access and full lifecycle governance for agents

Just-in-time access is more than a convenience pattern here. For agents, it becomes a containment model that limits how long delegated access can exist and how much of the environment an agent can reach at once. Full lifecycle governance matters because agents are not one-time integrations. They are created, updated, paused, re-scoped, and retired. Without lifecycle control, an agent’s effective permissions can drift away from the intended task. That makes revocation, not just provisioning, a core identity event. The important design point is that lifecycle must follow the agent’s operational role, not the software release cycle.

Practical implication: make agent onboarding, re-scope, and revocation part of the IAM lifecycle rather than a platform deployment task.

Layered guardrails for agent behaviour

Identity controls alone do not solve agent risk because an agent can still misuse permitted access. Layered guardrails combine permissions, data-level controls, policy sanitisation, and behavioural analytics so the identity layer is not carrying all the burden. This is especially important when agents operate across SaaS, cloud, and internal workflows, where one action can trigger another without a human in the loop. The technical challenge is not simply whether the agent is authenticated. It is whether the agent’s delegated path is bounded enough to prevent scope drift, accidental disclosure, or repeated action chains.

Practical implication: pair identity governance with behavioural detection and data restrictions, especially for agents that can chain actions across systems.

Threat narrative

Attacker objective: The attacker wants to turn a compromised non-human identity into trusted access that can control, redirect, or observe AI-enabled workflows.

1. Entry occurs when an attacker gains use of a compromised NHI, such as an exposed API key or token, and leverages it to reach an AI workload or agent-adjacent control surface.
2. Escalation follows when that identity is trusted enough to move from a single connected service into broader delegated access, including tool calls, data access, or orchestration permissions.
3. Impact appears when the compromised identity is used to hijack agent behaviour, exfiltrate data, or trigger unauthorised downstream actions that look legitimate to normal IAM controls.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic identities collapse the old separation between IAM and AI governance. If an AI agent can perceive, decide, and act across multiple tools, identity is no longer just an authentication layer. It becomes the operating boundary for delegated autonomy, which means access governance, audit, and behavioural controls now sit in the same control plane. The practitioner conclusion is straightforward: agent identity programs cannot be bolted onto existing NHI hygiene without changing the operating model.

Least privilege was designed for principals whose intent is known at provisioning time. That assumption fails when the actor is autonomous because access needs can be selected and recombined at runtime. The implication is not merely tighter permissions. It is a different governance premise, one where static entitlement design no longer captures actual behaviour and where review cycles can arrive after the meaningful access decision has already happened.

JIT access for agents is becoming a governance requirement, not a feature choice. The Radar’s near-term horizon and broad mass signal that organisations will need to limit standing permissions for agents before those permissions become normalised. This is where OWASP-NHI and zero-trust thinking converge: agents should not accumulate durable access simply because they are useful. The practitioner conclusion is to treat standing agent privilege as an architectural defect, not an operational convenience.

Agentic identity is now a market signal, not a niche design pattern. When a major research firm places the category in an early-majority window, it is signalling that buyers will increasingly expect identity-first controls, lifecycle revocation, and audit-ready delegation chains. That will pressure both NHI and IAM teams to re-evaluate whether their current controls can express agent purpose, scope, and accountability clearly enough for investigations and compliance.

Scope drift is the failure mode this category exposes most clearly. Dynamic agents do not just request access, they can combine permissions in ways that were not anticipated at design time. That means the real governance gap is not simply missing controls, but the assumption that a granted scope stays stable across the life of a task. The practitioner conclusion is to measure whether your programme can detect and contain runtime scope drift before it becomes normalised behaviour.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• 47% of compliance teams and 34% of executives have the same visibility into AI agent data access that 71% of IT teams already have, according to the same report.
• For the broader threat model behind identity-first agent controls, see 52 NHI Breaches Analysis and the control patterns that recur across exposed secrets and over-provisioned access.

What this signals

Agentic identity is becoming a programme design issue, not an edge case. With 80% of organisations already reporting agent behaviour beyond intended scope according to AI Agents: The New Attack Surface report, IAM teams should assume runtime drift will surface before policy catches up. The practical signal is whether your governance process can prove who approved the scope, who owns the agent, and when that approval expires.

Identity-first control for agents is now the difference between discovery and blind spot. If 48% of organisations still cannot track and audit the data their agents access, then investigation quality and compliance evidence will both remain weak. Teams should watch for gaps in log attribution, consent lineage, and delegated authority chains because those are the places where agent programmes fail first.

JIT, revocation, and behavioural analytics need to be designed as one control system. In agentic environments, access scope and action scope are no longer separable in practice. The useful programme question is whether your current controls can shorten privilege lifetime, detect unusual tool use, and terminate trust before an agent’s delegated path expands beyond the task.

For practitioners

• Inventory every AI agent as a governed identity Build a register of agents, service accounts, tokens, and acting-on-behalf-of chains so each principal has an owner, purpose, and expiry. Tie this inventory to recertification and revocation workflows so no agent remains active without an accountable business context.
• Convert standing access into task-scoped access Use just-in-time provisioning for agents wherever possible, with short-lived scopes that expire automatically after the task or session ends. This reduces the chance that an agent accumulates persistent permissions that outlive the business need.
• Add behaviour monitoring to identity governance Pair access controls with behavioural analytics that can flag unusual tool use, unusual data access, or unexpected action chains. Identity alone will not reveal whether an agent has drifted beyond its intended operating scope.
• Review delegated authority chains end to end Trace how an agent receives authority, which tools it can call, and what downstream systems inherit its actions. This is where scope creep and hidden trust paths usually appear, especially in SaaS and cloud workflows.

Key takeaways

• Agentic identities move AI agents into the identity governance model, where ownership, audit, and scope are mandatory.
• The adoption curve is short enough that standing privilege for agents will become a common exposure unless teams change access design now.
• Practitioners should combine JIT access, lifecycle revocation, and behavioural monitoring to control delegated autonomy at runtime.

Key terms

• Agentic identity: An agentic identity is the governed identity assigned to an AI agent so its actions can be authorised, logged, and revoked. It is more than a login. It is the control point that ties delegated autonomy to accountability, scope, and evidence across systems and workflows.
• Acting-on-behalf-of chain: An acting-on-behalf-of chain is the sequence of identities and delegated permissions that lets one principal act through another. For AI agents, this chain matters because it determines who is actually responsible when access is reused, expanded, or misapplied during runtime execution.
• Scope drift: Scope drift is the gap between the access an identity was meant to have and the access it actually uses over time. In agentic environments, scope drift can happen within a task session, so it is both a governance problem and a detection problem.
• Just-in-time access: Just-in-time access is a model where privileges are granted only when needed and removed as soon as the task ends. For AI agents, the control is especially valuable because it reduces standing privilege, narrows exposure, and makes delegated actions easier to audit.

What's in the full article

Astrix Security's full research covers the operational detail this post intentionally leaves for the source:

• Continuous discovery of agents, service accounts, tokens, and effective permissions across SaaS, IaaS, and internal systems
• Delegation guardrails covering scope, time-boxing, segregation of duties, and acting-on-behalf-of chains
• Behavioral analytics patterns for identifying agent drift, unusual tool use, and policy bypass
• Implementation detail on how the vendor frames identity-first security for agentic identities

👉 Astrix Security's full article covers the agent identity model, guardrails, and control recommendations in more implementation detail.

Deepen your knowledge

Agentic identities, just-in-time access, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for AI agents in parallel with service accounts and tokens, it is worth exploring.