AI agent access control is exposing gaps in trust and auditability

At a glance

What this is: 1Password argues that AI agent access must preserve secret handling, deterministic authorization, and auditability as a single security model.

Why it matters: This matters because IAM, PAM, and NHI controls built for human-paced approval flows break down when AI agents can request, combine, and act on access in runtime.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read 1Password's analysis of AI agent security principles and access control

Context

AI agent access control is the discipline of deciding what an agent can see, request, and do without turning the model itself into an authorization engine. The core issue is that existing identity patterns assume access is granted through predictable, reviewable flows, while agentic systems can make runtime decisions across tools and data sources.

For IAM, PAM, and NHI teams, this creates a governance problem across credentials, approvals, and audit evidence. Security now has to account for what the agent can infer, what it can invoke, and how those actions are recorded when humans are no longer in the middle of every step.

Key questions

Q: How should security teams govern AI agent access to sensitive data?

A: Security teams should govern AI agent access with deterministic policy, narrow entitlements, and explicit approval paths. The agent can interpret intent, but it should not decide access on its own. Keep secrets outside model context, log each action with approval evidence, and expire access when the task is complete.

Q: Why do AI agents create problems for least privilege?

A: AI agents create problems for least privilege because their runtime path can change after access is granted. A human request is usually stable, but an agent may branch across tools, combine data sources, or take extra steps that were not obvious at provisioning time. That makes task-bounded controls more reliable than identity-only assumptions.

Q: What breaks when raw secrets are exposed to LLM workflows?

A: When raw secrets enter LLM workflows, they can be copied, logged, inferred, or reused across contexts that were never designed for secret custody. The result is not only leakage risk but also a weaker audit trail, because the system can no longer distinguish between model output and authorised credential use.

Q: Who should be accountable when an AI agent takes a sensitive action?

A: Accountability should sit with the team that defined the policy, the approval path, and the data boundary for the agent. If no one can explain what the agent was allowed to see, who approved the action, and how execution was recorded, the governance model is incomplete.

Technical breakdown

Deterministic authorization for AI agents

An authorization decision must be repeatable, explainable, and independent of model output. Large language models are good at interpreting intent, but they are not authorization engines because their responses can vary with context, prompting, and inference state. That makes them unsuitable for deciding whether a secret may be exposed or an action may be taken. In practice, access should be mediated by a trusted control plane that enforces fixed rules, not by a conversational interface that can be nudged or misread. This is the difference between assistance and authority.

Practical implication: separate intent interpretation from access granting and keep the approval step in a deterministic system.

Secrets must stay out of model context

Raw credentials, API keys, and tokens do not belong in prompts, embeddings, or training data because those environments are built for inference, not secret custody. Once secrets enter model context, they can be exposed through logging, retrieval, prompt injection, or accidental regeneration. Zero-knowledge handling is therefore not a cosmetic preference but a structural control boundary. The safest pattern is to let the agent request an action while the credential remains protected outside the model path, with controlled release only when policy permits.

Practical implication: keep secrets in dedicated controls and pass capabilities, not raw credentials, into AI workflows.

Auditability and minimum exposure in agentic access

Agentic systems create a new audit problem because they can chain actions quickly enough that human review arrives after the fact. Security teams need evidence of what the agent could see, what it actually accessed, and which approval path authorised the action. Least privilege still applies, but the unit of control becomes the task, the session, and the data slice, not just the identity object. That requires narrow entitlements, traceable delegation, and logs that explain both access and decision context.

Practical implication: design audit trails that capture agent visibility, action scope, and the approval context in one record.

Threat narrative

Attacker objective: The objective is to use agentic access to reach sensitive data or actions while bypassing the review and attribution assumptions of conventional IAM.

1. Entry occurs when an AI agent is granted access to tools or data sources through a normal user workflow, creating a legitimate starting point rather than a classic intrusion.
2. Escalation happens when the agent combines prompts, credentials, or connected services to reach more data or actions than the original request implied.
3. Impact follows when the agent executes sensitive actions or exposes secrets without clear human review, leaving the organisation with weak attribution and an expanded blast radius.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authorization is no longer a human-only governance problem: AI agents can interpret intent and act across systems, which means the security boundary is now the decision path itself, not just the identity that started it. Rule-based access flows remain valid only if the agent is prevented from becoming the decision-maker. Practitioners should treat authorization as a separable control plane, not a capability embedded inside the model.

Secrets stay secret is the right control premise for agentic systems: Raw credentials were always a high-risk asset, but agentic workflows raise the cost of leakage because the model can copy, surface, or misuse them across many tools in a single interaction. The point is not merely to rotate secrets faster. The point is that model context is the wrong place to store them at all, and that is a governance boundary IAM teams should defend.

Auditability becomes a chain-of-custody problem, not a logging checkbox: When an agent can see, request, and execute actions in the same flow, basic event logs do not explain why access was granted or how far the agent could go. That weakens accountability across IAM, PAM, and NHI governance. The practical conclusion is that evidence must bind visibility, approval, and execution into one traceable record.

Least privilege for agents requires task-bounded access, not identity-bounded assumptions: Traditional entitlement thinking assumes the identity is stable and the request is known in advance. Agentic behaviour breaks that assumption because the runtime path can change after initial authorization. Security teams should therefore rethink least privilege as a dynamic boundary around task scope, not a static property of the principal.

Runtime governance gap: Existing identity controls were designed for access that persists long enough to be reviewed, certified, and revoked. That assumption fails when an AI agent can acquire context, act, and terminate a workflow before any human governance cycle catches up. The implication is that practitioners must re-evaluate how much of their current access model depends on human-paced decision loops.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• From our research: The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• From our research: For a deeper governance lens, compare these findings with Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Secret custody is becoming a board-level control issue, not just an engineering hygiene problem. When 27-day remediation windows coexist with AI systems that can move faster than review cycles, the practical risk is that exposure can persist long enough to be exploited before teams even agree on ownership. That is why secret handling and agent governance now have to be designed together, not in separate programmes.

Access governance will increasingly be measured by what an agent can reach without human intervention. Organisations that already track NHI security capability maturity should expect those same controls to be tested by autonomous-style access paths inside AI workflows. The programme signal is simple: if the approval trail cannot explain an agent action, the governance boundary has failed.

AI agent governance will push IAM teams toward policy-linked evidence rather than policy statements alone. Static principles are not enough when access can be requested, granted, and consumed in one session. Teams should prepare for controls that prove what was visible, what was authorised, and what was executed, especially where the Ultimate Guide to NHIs already frames visibility and least privilege as core discipline.

For practitioners

• Define deterministic approval paths Route every agent request through a fixed policy engine that produces the same allow or deny outcome for the same input, and keep that decision outside the model conversation.
• Keep raw secrets out of model context Store API keys, tokens, and other secrets in dedicated vault controls and expose only scoped capabilities or ephemeral references to the agent.
• Bind agent actions to auditable approval records Log what the agent could access, what it actually used, and which user or system authorised the action in a single traceable record.
• Scope access to the task, not the model Limit AI agent entitlements to the smallest data set and tool set needed for the immediate job, then expire those grants when the task ends.
• Review where human review is assumed Map identity workflows that depend on people slowing the process down, then redesign those points for systems that may move faster than certification cycles.

Key takeaways

• AI agent access control fails when authorization is treated as conversational rather than deterministic.
• Secret exposure inside model context expands both the blast radius and the audit problem for identity teams.
• Practitioners should redesign governance around task scope, approval evidence, and auditable delegation rather than identity alone.

Key terms

• Deterministic Authorization: An access decision that follows fixed rules and produces the same result for the same inputs. For AI agents, this means the model may interpret intent, but a trusted control must decide whether access is granted, keeping authority separate from inference.
• Agentic Access: Access used by an AI agent to retrieve data, invoke tools, or trigger actions on behalf of a user or system. In practice, it must be tightly scoped, logged, and time-bound because the agent can chain steps faster than human review cycles can keep up.
• Secret Custody: The control discipline that keeps credentials, tokens, and keys protected from exposure, copying, and unintended reuse. For agentic workflows, secret custody matters because model context is not a safe place for sensitive material and can widen exposure instantly.
• Auditability: The ability to reconstruct what happened, who or what was allowed to do it, and why it was permitted. In AI agent governance, auditability must cover visible data, approval context, and executed actions, not just a timestamped event log.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: AI security principles for trustworthy agent access. Read the original.