AI agent adoption is widening identity gaps in infrastructure

At a glance

What this is: Teleport's survey says agentic AI is moving into infrastructure faster than security teams are ready, with access and visibility gaps driving the risk.

Why it matters: IAM and NHI practitioners need to treat AI agents as governed identities, because over-privilege, static credentials, and weak attribution turn automation into audit and incident exposure.

By the numbers:

• 79% of organisations are already evaluating or deploying agentic AI.
• Only 13% feel extremely prepared for it.
• 70% of organisations are granting AI more access than humans.

👉 Read Teleport's research on AI infrastructure risks and identity gaps

Context

Agentic AI is now acting like an infrastructure identity, not just a planning aid. It can make changes, access data, and trigger workflows, which means the old assumption that software only recommends actions no longer holds. For IAM and NHI governance, the problem is less about whether AI can be useful and more about whether its access is bounded, attributable, and revocable.

Teleport's survey frames this as a readiness gap: organisations are adopting agentic systems before they have the identity controls to manage them. That is a familiar pattern in NHI governance, where automation arrives faster than inventory, ownership, and review processes. For teams already dealing with service accounts and tokens, the addition of AI agents widens the same control gap rather than creating a new category of risk.

Key questions

Q: How should security teams govern AI agents that can make infrastructure changes?

A: Security teams should govern AI agents as non-human identities with explicit ownership, least privilege, and revocation paths. Each agent needs a defined task scope, approved tool set, and audit trail for every action it takes. Without those controls, the agent becomes another persistent access path rather than a managed workload.

Q: Why do AI agents create more identity risk than traditional automation?

A: AI agents create more identity risk because they can adapt their behaviour, chain tool calls, and act on context that changes from session to session. Traditional automation usually follows fixed logic, while agents make decisions that can expand their effective reach. That makes attribution, approval, and blast-radius control much more important.

Q: What is the difference between least privilege for humans and least privilege for AI agents?

A: Least privilege for humans limits what a person can do. Least privilege for AI agents must also limit which tools they can invoke, which data they can read, and whether they can act without human review. Agent privilege should be task-scoped and time-bound because autonomous execution can magnify a small permission mistake quickly.

Q: When should organisations block AI access instead of trying to govern it?

A: Organisations should block AI access when they cannot identify the owner, define the task scope, or revoke credentials quickly. If the system cannot be audited or bounded, adding more controls later will not fix the core governance gap. In that case, the safer choice is to stop the deployment until identity controls exist.

Technical breakdown

Why agentic AI behaves like a non-human identity

Agentic systems do not just produce outputs. They can authenticate, call tools, read internal data, and make changes in production environments, which makes them functionally closer to non-human identities than to passive applications. The important technical shift is execution authority. Once an AI system can chain actions across tools, its identity, permissions, and audit trail matter as much as its model quality. If the identity layer is weak, the agent inherits the same failure modes seen with service accounts, API keys, and over-scoped tokens.

Practical implication: Treat the agent as a governed identity with explicit ownership, scoped privileges, and revocation paths.

Why over-privilege is the primary failure mode

Over-privilege gives an AI system more access than the task requires, and that inflates blast radius when the system hallucinates, is manipulated, or simply acts on bad context. In infrastructure settings, that means a wrong change can move from a local mistake to a production outage or data exposure. Least privilege matters here because it limits the reachable action space, not just the permissions list. The survey's pattern is clear: access design is doing more risk work than model accuracy.

Practical implication: Design AI access around task scope, short duration, and explicit approval thresholds for higher-risk actions.

Static credentials and poor attribution create hidden agent risk

Static credentials, long-lived tokens, and shared secrets make AI agents harder to govern because they blur who or what performed an action and when. If an agent uses persistent credentials, security teams lose the ability to tie behaviour to a specific identity session or access window. That creates a governance problem for audit, response, and offboarding. In practice, secretless or short-lived authentication reduces hidden persistence and makes autonomous behaviour visible enough to govern.

Practical implication: Replace persistent credentials with short-lived, attributable access wherever AI systems can act on infrastructure.

Threat narrative

Attacker objective: The attacker seeks to turn AI execution authority into unchecked infrastructure change or secret exposure.

1. Entry occurs when an AI agent is granted broad infrastructure access through static credentials or an over-scoped role.
2. Escalation happens when the agent can chain tool calls, read internal data, and modify production systems without continuous review.
3. Impact follows when a confidently wrong or manipulated action reaches production and causes outage, exposure, or unauthorized change.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agents should be governed as identities with execution authority, not as enhanced applications. The survey data reinforces a structural point that NHI teams already know from service accounts and API keys: the risk sits in the permission model, not the interface. Once autonomous systems can act, identity ownership, approval, and revocation become first-class security controls. Practitioners should stop treating agentic AI as an application feature and start treating it as an access-bearing actor.

Ephemeral credential trust debt is now a real governance problem. AI environments often accumulate short-lived use cases on top of long-lived credentials, and that mismatch creates a debt profile that audit teams rarely see until something fails. The issue is not only rotation speed, but whether the organisation can prove which identity was allowed to do what at a given moment. Teams should measure that debt explicitly and reduce it before agentic use expands further.

Least privilege is now the decisive control for agentic AI security. Teleport's findings show that broad access is more common than readiness, which means the most practical control is still the oldest one. The difference is that least privilege now has to account for autonomous decision paths, not just human requests. Security leaders should make agentic access reviews part of IAM and NHI governance, not a separate AI initiative.

Confidence is not a control signal, and overconfidence is a warning sign. Organisations that feel most mature about AI may be the ones most likely to have allowed complex workflows to outrun governance. That is a familiar anti-pattern in identity programmes, where adoption success can mask missing inventory, missing attribution, and missing revocation discipline. Practitioners should validate controls by evidence, not by deployment enthusiasm.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader control model, see OWASP Agentic AI Top 10 for the identity, tool-use, and autonomy risks that overlap with NHI governance.

What this signals

Ephemeral credential trust debt: organisations that let AI agents sit on top of persistent access will accumulate hidden risk faster than they can document it. With 67% of organisations still relying heavily on static credentials, per the 2026 Infrastructure Identity Survey, the control problem is no longer theoretical. Identity teams should measure how much agent access is still tied to durable secrets and treat that as governance debt.

The operational signal for practitioners is straightforward. AI agent onboarding now needs the same discipline as workload identity programmes, including ownership, scope review, and offboarding. The more autonomous the workflow becomes, the more important it is to connect access decisions to change management and incident response.

Security leaders should also align AI access decisions with NIST AI Risk Management Framework governance expectations and with the identity principles used in the Ultimate Guide to NHIs. That combination helps teams move from experimentation to repeatable control design.

For practitioners

• Inventory all AI agents and their identities Record every autonomous system that can authenticate, call tools, or make infrastructure changes. Include owner, approval path, credential type, and the systems each agent can reach so the inventory is usable for access review and offboarding.
• Replace static credentials with short-lived access Move AI systems away from passwords, shared secrets, and long-lived tokens where possible. Use short-lived certificates or equivalent ephemeral credentials so each session is attributable and easier to revoke when behaviour changes.
• Scope privileges to task boundaries Grant the minimum tool, data, and action set needed for a specific workflow, then segment higher-risk actions behind human approval or separate controls. Recheck scope whenever the agent's use case changes.
• Add auditability for every autonomous action Log the identity, time, input context, tool call, and resulting change for each agent action. Make those logs searchable by identity so incident response can distinguish human activity from machine activity.
• Review agent access on a fixed cadence Tie AI access reviews to change management and offboarding. If the agent no longer needs a system, revoke it immediately rather than leaving dormant permissions in place.

Key takeaways

• Agentic AI turns identity from a supporting control into the main security boundary.
• The survey shows a large readiness gap between adoption and governance, especially where access is over-scoped.
• Practitioners should prioritise ownership, least privilege, and short-lived credentials before expanding AI autonomy.

Key terms

• Agentic AI: Agentic AI is software that can decide, act, and use tools with some execution authority rather than only generating text or recommendations. In identity terms, it behaves like a non-human actor that needs ownership, scoped access, monitoring, and revocation like any other privileged system.
• Non-Human Identity: A non-human identity is any machine, workload, token, service account, or agent that authenticates and performs actions without a person directly doing the work. These identities often outnumber humans and can create larger blast-radius risk when privileges, ownership, or lifecycle controls are weak.
• Ephemeral Credential: An ephemeral credential is a short-lived secret or certificate issued for a specific task or session. It reduces standing exposure by limiting how long access remains valid, but it still requires strong identity binding, logging, and revocation so autonomous systems can be governed reliably.
• Privilege Scope: Privilege scope is the set of actions, data, and tools an identity is allowed to use. For AI agents, scope must be defined around the task and the acceptable blast radius, because broad or persistent privileges can turn a small mistake into a production-level incident.

What's in the full report

Teleport's full blog post covers the operational detail this post intentionally leaves for the source:

• Industry breakdowns of AI incident rates and confidence levels that help benchmark your own environment.
• The specific relationship between static credentials and reported AI-related incidents across survey respondents.
• Teleport's Agentic Identity Framework and the identity primitives it uses for tool access and auditability.
• The survey framing and methodology behind the 2026 Infrastructure Identity Survey results.

👉 Teleport's full post covers the survey findings, access patterns, and identity controls in more detail.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous systems, it is worth exploring.