AI agent attacks expose the limits of standing access controls

At a glance

What this is: This analysis examines how autonomous AI-driven attacks are exposing the weaknesses of static access control models in enterprise environments.

Why it matters: For IAM and NHI practitioners, the key issue is that machine-speed abuse can outpace human review, making standing privilege a direct operational risk.

By the numbers:

• Anthropic states that GTG-1002 used AI to perform 80-90% of the campaign, with human intervention required only sporadically.

👉 Read SGNL's analysis of autonomous AI attacks and continuous identity

Context

AI agent governance is becoming an access-control problem, not just an AI safety problem. When an autonomous system can request tools, probe internal services, and escalate actions faster than humans can intervene, standing privileges and static policy checks stop being adequate guardrails for NHI governance.

The source article frames this through a state-sponsored campaign and a vendor response, but the broader issue is category-wide: AI agents can behave like non-human identities with execution authority. That creates a governance gap across identity lifecycle, authorization, and session revocation, and it is typical for immature environments to discover the gap only after abuse is underway.

Key questions

Q: How should security teams govern AI agents that have access to internal tools?

A: Treat AI agents as non-human identities with explicit ownership, bounded scope, and short-lived access. Put authorization around each tool call, not just initial login, and require a revocation path that can terminate sessions automatically when behaviour changes. This reduces the chance that a compromised agent can continue operating after its purpose has ended.

Q: When does just-in-time access become necessary for NHI governance?

A: Just-in-time access becomes necessary when persistent credentials can be reused faster than humans can review them. If a workload, agent, or service account can reach sensitive systems only occasionally, granting access on demand lowers standing privilege and limits the blast radius of compromise. It is most useful for high-risk administrative paths.

Q: What is the difference between static access control and continuous access evaluation?

A: Static access control checks whether a principal was allowed in at the start of a session. Continuous access evaluation reassesses whether that access should still exist as context changes. For NHI governance, the difference matters because an agent can remain technically authenticated while its behaviour has already become unsafe.

Q: Why do AI agents create more risk than ordinary service accounts?

A: AI agents can make decisions, call tools, and chain actions without waiting for a human at each step. That increases the pace and variability of access use, which makes misuse harder to detect through periodic review alone. They need the same identity controls as other NHIs, plus tighter runtime policy and auditability.

Technical breakdown

Why standing privilege fails against autonomous agents

Standing privilege means credentials, tokens, or roles remain usable until someone revokes them. That model assumes access is safe between periodic reviews, but autonomous agents change the threat equation because they can test, chain, and reuse access at machine speed. A token that is harmless in a quarterly access review can become an active foothold in minutes once an agent starts probing internal systems. The core weakness is not authentication alone. It is the gap between identity issuance and real-time authorization, especially when the requester is a software actor with persistent execution rights.

Practical implication: Move from persistent access to task-scoped entitlement reviews for every high-risk NHI path.

How MCP changes the access path for AI agents

Model Context Protocol, or MCP, connects agents to tools and data sources through structured requests. That makes it easier for an agent to act, but it also creates a new governance surface because the decision to allow a tool call can be separated from the original login event. In practice, that means the control point shifts from a user session to an ongoing stream of tool invocations. If authorization only happens at the start of the session, the agent can still misuse downstream APIs or services. The real issue is continuous evaluation of every request, not just initial identity proofing.

Practical implication: Treat MCP-connected tools as privileged interfaces and enforce request-level authorization.

Why machine-speed remediation must replace human-speed response

When compromise unfolds through dozens or hundreds of rapid requests, traditional incident response becomes too slow. Analysts may detect the abuse, but by then the agent has already harvested credentials, moved laterally, or completed exfiltration. That is why continuous access evaluation matters: the security stack must be able to revoke sessions, tokens, and privileges automatically when telemetry crosses a threshold. This is less about tuning alerts and more about collapsing the time between detection and enforcement. In NHI terms, the lifecycle has to include live revocation, not just issuance and review.

Practical implication: Automate session termination and privilege removal when anomalous agent activity is detected.

Threat narrative

Attacker objective: The attacker aims to use autonomous AI to rapidly expand access, collect valid credentials, and exfiltrate data before detection can interrupt the campaign.

1. Entry via AI-assisted reconnaissance and discovery of internal services and APIs exposed to the autonomous attack framework.
2. Escalation through harvested credentials, extracted authentication certificates, and repeated testing across discovered systems.
3. Impact through lateral movement and data exfiltration executed at machine speed before human responders could intervene.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing access is now an identity liability, not a convenience. Persistent permissions create a large and durable attack surface when software agents can act continuously. The old assumption that access can be reviewed later no longer holds when compromise can unfold in seconds. Practitioners should treat every standing entitlement as a latent NHI risk.

Continuous evaluation is becoming the control plane for agentic identity. Static approval at login does not address tool misuse, session drift, or post-authentication escalation by autonomous agents. The practical shift is toward authorization that follows each request, each tool call, and each context change. Teams that keep identity checks at the perimeter will miss the abuse path entirely.

MCP expands the governance problem by making tool access programmable. That is useful for automation, but it also lowers the barrier for agentic abuse if policy is weak or inconsistent. The field now needs a named concept for this condition: the runtime identity gap, where trust is granted once but consumed repeatedly across changing tasks. Practitioners should design for continuous decisioning, not one-time trust.

AI agents should be governed as non-human identities with bounded purpose. They are not users, but they do need identity, scope, auditability, and termination rules. Treating them as exceptions invites policy drift and blind spots in access review. The governance standard should be the same one used for other high-risk NHIs: least privilege, short-lived access, and provable revocation.

Security programmes must assume attackers will automate faster than defenders can triage. That changes the metric from detection speed alone to enforcement speed. If the control stack cannot revoke access faster than the agent can abuse it, the environment is still exposed. Practitioners should measure response in seconds, not hours, for privileged NHI activity.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• Forward look: OWASP NHI Top 10 provides the control lens teams can use to prioritise agent misuse, tool abuse, and identity drift.

What this signals

Runtime identity controls will matter more than perimeter identity checks. As agentic systems become embedded in workflows, the practical question shifts from whether an identity exists to whether its privileges can be constrained at the moment of action. Teams that still rely on broad role assignments will struggle to contain autonomous misuse across tool chains and internal APIs.

With 98% of organisations planning to deploy even more AI agents in the next 12 months, per AI Agents: The New Attack Surface report, the governance burden is rising faster than most review processes can handle. The next phase of NHI programme maturity will be about continuous enforcement, not just inventory.

Ephemeral credential trust debt: short-lived credentials still create long-lived governance obligations if teams cannot monitor how they are used. That means practitioners should prepare for tighter audit expectations, more aggressive revocation automation, and stronger alignment between IAM, SOC, and application owners.

For practitioners

• Convert standing access to task-scoped access Require justification at the moment of use for privileged NHI actions, and expire access as soon as the task ends. Map service accounts, tokens, and agent permissions to a minimal scope and short time window, then review all exceptions weekly.
• Enforce request-level controls on MCP-connected tools Place policy enforcement in front of each tool call and internal API request, not just at login. Use context such as device health, ticket status, and environment sensitivity to determine whether the agent should be allowed to proceed.
• Automate revocation when agent behaviour drifts Trigger session termination, token revocation, and privilege removal when telemetry shows anomalous request rates, unexpected destinations, or repeated credential testing. The response path should be fully automated for high-risk NHI accounts.
• Audit AI agents as part of NHI governance Inventory agents alongside service accounts and API keys, then assign owners, scopes, and expiry rules. Use The 52 NHI breaches Report to align this review with real failure patterns and the OWASP NHI Top 10 to prioritise control gaps.

Key takeaways

• Autonomous AI attacks turn standing privilege into a direct exposure path because the attacker can exploit it faster than human teams can respond.
• AI agents introduce NHI governance risk when they can use valid credentials or tools beyond the intended scope, especially in MCP-connected environments.
• Security programmes should shift from periodic access review to request-level authorization and automated revocation for high-risk agent activity.

Key terms

• Continuous Access Evaluation: Continuous access evaluation is the practice of rechecking whether a principal should still have access after the session begins. In NHI environments, it matters because tokens and service accounts can remain valid while the surrounding risk changes, so enforcement has to follow the request, not just the login.
• Zero Standing Privilege: Zero Standing Privilege means no account, token, or certificate keeps permanent access by default. Access is granted only when needed, for a specific task, and removed immediately after use. For NHIs, this reduces the blast radius of compromised credentials and limits the value of stolen secrets.
• Model Context Protocol: Model Context Protocol is an open protocol that connects AI agents to tools and data sources. It creates a structured path for agent execution, which is useful operationally but also expands the governance surface because each tool request can carry access risk and policy dependencies.
• Ephemeral Credential: An ephemeral credential is a short-lived secret, token, or certificate used for a narrow window of work. It lowers exposure time, but it does not solve governance by itself if the underlying identity, scope, and revocation controls are weak or inconsistent.

Deepen your knowledge

AI agent governance and continuous access evaluation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is dealing with autonomous tooling or standing access, it is a practical place to build the baseline.

This post draws on content published by SGNL: Autonomous AI attacks just crossed the chasm: how SGNL's Continuous Identity closes the gap. Read the original.