TL;DR: As enterprises deploy more AI agents, the central choice is shifting from runtime threat detection to the identity and authorization controls that keep agents inside intended bounds, according to WorkOS. For IAM teams, the real question is whether security is being bolted on after action or enforced before access is granted.
At a glance
What this is: This is a comparison of two agentic security approaches, with the core finding that authentication and fine-grained authorization are the foundation, while runtime detection is only one layer.
Why it matters: It matters because AI agents expand identity scope across NHI, autonomous, and human-linked workflows, and practitioners need controls that govern access before agent behaviour creates exposure.
By the numbers:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
👉 Read WorkOS's analysis of agentic security platform trade-offs and AI agent authorization
Context
Agentic security is no longer just about spotting suspicious model behaviour after it happens. The governance problem is how AI agents get authenticated, authorised, and constrained before they can act across enterprise systems, especially when those agents are tied to user workflows and sensitive data access.
This article compares runtime threat detection with foundational access control, using the acquisition of Aim Security by Cato Networks as context for a wider market shift. The practical issue for IAM, PAM, and NHI teams is whether they want a platform that watches behaviour or one that prevents overreach at the identity layer from the outset.
Key questions
Q: How should security teams govern AI agents that act on behalf of users?
A: Security teams should bind each AI agent to explicit identity, role, and resource scope so the agent cannot inherit broad application privileges. The goal is to make access decisions before the agent acts, not after behaviour has already occurred. That means treating the agent like a governed identity, with narrow authorization and auditable boundaries.
Q: Why do AI agents complicate traditional access control models?
A: AI agents complicate access control because the same workflow may operate across multiple users, tenants, and data domains in a single session. Traditional models often assume a stable subject and a predictable request path, but agents can vary context dynamically. That makes coarse permissions too broad for production use and weakens audit reliability.
Q: What breaks when runtime detection is the main control for AI agent security?
A: What breaks is the assumption that access should be acceptable until suspicious behaviour appears. Runtime detection can flag misuse, but it cannot prevent an agent from reaching a resource it was never supposed to access. If the identity and authorization layers are too broad, the blast radius is already baked in.
Q: Who is accountable when an AI agent exceeds its intended access scope?
A: Accountability should sit with the team that defined the agent's identity, authorization model, and operational boundaries, not with the runtime alerting layer alone. Governance frameworks such as NIST AI Risk Management Framework and zero trust thinking both point to pre-activity control ownership. The key is to establish clear ownership before deployment.
Technical breakdown
Runtime detection in agentic security platforms
Runtime detection tools inspect agent behaviour as it unfolds, looking for suspicious tool use, prompt abuse, or policy violations. In practice, this is a behavioural layer sitting above the identity plane. It can help spot anomalous actions, but it does not solve the root question of whether the agent should have been able to authenticate, obtain the token, or access the resource in the first place. That distinction matters because once an agent has valid privileges, detection is reacting to a path already opened.
Practical implication: treat runtime detection as containment support, not as a substitute for access control.
Authentication and authorization for AI agents
Authentication verifies who or what the agent is, while authorization determines what that identity can do. For AI agents, this must be fine grained because the same application may act on behalf of different users, different tenants, or different business roles. Enterprise-grade controls need to bind identity, context, and permission scope so the agent cannot simply inherit broad application access. Without that boundary, the system becomes vulnerable to over-permissioning even when the login flow itself is secure.
Practical implication: define agent permissions at the resource and role level before shipping any production workflow.
Platform consolidation and control-plane dependency
When a specialist security capability is folded into a broader platform, the technical question changes from feature availability to control-plane dependency. Teams may gain integrated monitoring, but they also inherit the parent platform's deployment model, policy boundaries, and roadmap priorities. For identity security, that can complicate selective adoption because authentication, authorization, and detection are no longer independently decoupled. The architectural trade-off is less about innovation and more about whether the security control can remain portable across the stack.
Practical implication: evaluate whether your agentic security control can be adopted without forcing a broader platform dependency.
Threat narrative
Attacker objective: The attacker objective is to abuse legitimate agent access to reach data or tools that were never meant to be available to that workflow.
- Entry occurs when an AI agent is granted valid enterprise access through authentication that is broader than the specific task requires.
- Escalation follows when the agent inherits or accumulates permission to reach multiple systems, data sets, or tools beyond the intended workflow.
- Impact emerges when overbroad agent access enables data exposure, unauthorized actions, or cross-system misuse before runtime detection can intervene.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic security is really an identity architecture problem, not a monitoring problem. Behavioural guardrails matter, but they sit too far downstream to define safe access. If an AI agent can authenticate too broadly or inherit permissions that exceed task scope, runtime detection is already behind the failure.
Fine-grained authorization becomes the decisive control once agents act on behalf of users. The same application may need to respect tenant, role, and object-level boundaries in a single session. That makes coarse application-level access structurally inadequate for production AI workflows, especially where data governance and auditability matter.
Control-plane portability is now part of the security evaluation. When a niche agentic security capability is absorbed into a larger platform, practitioners should re-evaluate whether they are buying a control or accepting a broader dependency. The issue is not vendor value, but whether identity enforcement remains separable from the rest of the stack.
Runtime threat detection cannot compensate for over-privileged non-human identities. A system that discovers suspicious behaviour after the fact still assumes the access path was acceptable to begin with. For IAM and PAM teams, that exposes a familiar lesson: prevention belongs at authentication and authorization, not only in post hoc monitoring.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- Forward pivot: For the broader control problem, compare that with OWASP Agentic AI Top 10 guidance on the identity and privilege risks that emerge once agents start acting independently.
What this signals
Control-plane choice now matters as much as control content. If agentic security is bundled into a larger platform, teams need to decide whether they are buying prevention, detection, or both, and whether those controls can be governed independently across IAM, PAM, and NHI programmes. The architectural risk is not just lock-in, but diluted accountability across multiple security layers.
With 92% of organisations saying AI agent governance is critical but only 44% having policies in place, the gap is no longer theoretical. That gap means most teams are still relying on ad hoc controls while production agents move into sensitive workflows. OWASP Agentic AI Top 10 is the right baseline for deciding which risk class should be addressed first.
Fine-grained authorization must become the default design assumption for agentic systems. The concept we would name here is agent identity blast radius: the amount of data and system reach an AI agent can touch if its permissions are too broad. Once that radius is large, runtime monitoring becomes a detection aid, not a governance strategy.
For practitioners
- Map agent identities to explicit task scopes Document which workflows are acting as users, which are acting as service identities, and which resources each one may reach. Use that map to remove inherited broad access from production AI flows and keep permission scope tied to the minimum resource set required.
- Separate prevention from detection in your control design Use runtime monitoring for alerting and containment, but require pre-approval of identity, token scope, and object-level permissions before an agent can touch sensitive systems. This keeps detection from becoming the only thing standing between the agent and overreach.
- Test whether your authorisation model survives user-on-behalf-of workflows Run access tests where the same AI agent acts for different users, tenants, or business units, and verify that permissions do not drift upward across sessions. The relevant failure mode is not login weakness, but excessive access inherited from the application layer.
- Evaluate platform dependency before adopting integrated controls Check whether agentic security features can be deployed independently or only as part of a wider security stack. If adoption forces a broader platform commitment, make sure the security architecture still supports portability, audit separation, and future migration.
Key takeaways
- The core issue is not whether agentic security watches behaviour well, but whether the identity model prevents overreach before the first action occurs.
- SailPoint's survey data shows that adoption is racing ahead of governance, with 80% of current deployments already showing rogue behaviour.
- Practitioners should separate detection from authorization, then test whether their AI agent permissions remain narrow across users, tenants, and workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent behaviour and tool access are central to this comparison. | |
| NIST AI RMF | AI governance framing fits the decision to separate prevention and detection. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least privilege and continuous verification are directly relevant to agent access scope. |
Use agentic application controls to limit tool reach and constrain identity-driven misuse.
Key terms
- Agent Identity: An agent identity is the governed digital identity assigned to an AI system that can act on behalf of a person or service. It needs explicit authentication, bounded authorisation, and auditability because the agent may initiate actions across tools and data sources without a human present.
- Fine-Grained Authorization: Fine-grained authorization limits access at the level of resource, role, tenant, or action rather than giving broad application rights. For AI agents, it is the control that keeps a task-specific workflow from inheriting more access than the job actually requires.
- Runtime Detection: Runtime detection is the practice of monitoring behaviour while a system is operating so suspicious actions can be flagged or contained. It is useful for visibility, but it does not replace preventive identity controls because it reacts after the access path has already been used.
- Identity Blast Radius: Identity blast radius describes the amount of data, systems, and permissions an identity can reach if its access model is too broad. For AI agents and other non-human identities, reducing blast radius is central to limiting the damage caused by misuse, compromise, or scope drift.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing identity security capability, it is worth exploring.
This post draws on content published by WorkOS: Aim Security vs WorkOS: Choosing the Right Agentic Security Platform. Read the original.
Published by the NHIMG editorial team on 2025-11-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
