TL;DR: As AI agents move into production workflows, auditability now depends on both expert evaluation and identity governance, with Descope noting that 88% of identity decision-makers are using or planning to use agents but only 37% have moved beyond pilots. The harder problem is proving who the agent acted for, what it accessed, and whether those access decisions were actually authorised.
At a glance
What this is: This is a practitioner analysis of why AI agent governance now requires both model evaluation and identity controls, with a focus on audit trails, scoped access, and human oversight.
Why it matters: It matters because IAM, NHI, and governance teams must prove agent actions, not just restrict them, and that changes how access, consent, and accountability are designed across programmes.
👉 Read Descope's analysis of AI agent auditing from inception to deployment
Context
AI agent auditing fails when organisations assume a model can be governed only through testing or only through access control. The article's central point is that AI agent identity proof requires both qualified human evaluation and operational identity evidence, because agent actions in production must be attributable, scoped, and reviewable after the fact.
That matters for identity programmes because the access model for an AI agent is not the same as a human user or a static workload. When an agent can request tools, access systems, and act across organisational boundaries, teams need a control model that ties each action to a specific authority chain, not just a login event. For related guidance, see the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.
Key questions
Q: How should security teams audit AI agents that act on behalf of users?
A: Security teams should audit AI agents with two evidence layers. First, record who or what authorised the action. Second, capture what the agent accessed, used, and changed in context. If those layers are separate, audit teams cannot prove consent, scope, or accountability when the agent touches sensitive data or crosses system boundaries.
Q: Why do AI agents complicate existing identity governance programmes?
A: AI agents complicate identity governance because they can act dynamically within a session, request tools, and cross boundaries in ways static account models do not describe well. Traditional IAM can confirm a session, but it cannot by itself prove intent, delegated authority, or whether the agent stayed inside its approved scope.
Q: What breaks when AI agent access is reviewed only after deployment?
A: What breaks is the evidence chain. If access, consent, and evaluation are added late, teams often lack the operational records needed to answer what the agent could do, what it actually did, and who approved it. That creates rework for security, legal, and compliance teams during production rollout.
Q: Who is accountable when an AI agent makes a sensitive decision?
A: Accountability should follow the approved authority chain, not the existence of the agent alone. Security and compliance teams need to know which human or policy owner authorised the action, what scope was granted, and whether the agent remained inside that scope. Without that chain, responsibility becomes hard to defend.
Technical breakdown
Why agent evaluation and identity governance must be linked
AI agent evaluation and identity governance solve different halves of the same audit problem. Evaluation checks whether the agent can make acceptable decisions in realistic scenarios, while identity governance proves what the agent was allowed to touch, on whose behalf, and under which policy. If those controls are separated, teams can end up with a well-tested agent that still cannot produce defensible evidence for regulators or internal audit. The real issue is not model confidence alone, but traceable authority across the full interaction chain.
Practical implication: build evaluation evidence and access evidence into one audit record rather than treating them as separate programmes.
Ephemeral credentials and scoped access for AI agents
AI agents often need tool access that is narrower and shorter-lived than human sessions. Static API keys and standing service account access do not fit a pattern where permissions should be granted for a task, expire automatically, and remain attributable to a specific user or tenant context. In agentic identity, the control point is not only authentication but context-aware authorisation, including step-up checks for sensitive actions. That architecture reduces standing privilege and makes post-action review possible, provided the policy engine is sufficiently granular.
Practical implication: replace persistent agent credentials with scoped, expiring authorisation paths that can be audited by task and context.
Audit trails for agentic AI need proof of authority, not just logs
A useful audit trail for AI agents has to show more than that an action occurred. It should answer what the agent accessed, what it actually used, who authorised it, and whether the request was blocked, approved, or progressively granted. That is materially different from simple event logging because compliance teams need evidence of consent and delegation, not just system activity. Once the agent crosses organisational boundaries or handles sensitive data, the audit chain becomes the evidence layer that links AI behaviour to identity governance.
Practical implication: design audit records to capture delegated authority, approval state, and access scope for every sensitive agent action.
NHI Mgmt Group analysis
AI agent governance breaks when organisations treat evaluation and identity as separate problems. The article shows that good model testing is not enough if the agent cannot later prove what it accessed, on whose behalf, and under what authority. That splits the assurance model into two blind spots, one for behaviour quality and one for access legitimacy. Practitioners should treat auditability as a chain of custody problem across both training and production.
Agentic identity is forcing the industry to rethink what a valid access event looks like. A static login event is no longer enough when an AI agent can request tools, cross systems, and act within a session that is both dynamic and context dependent. The useful control plane is therefore not just authentication or authorisation in isolation, but the coupling of consent, scope, and expiration into one evidence trail. That is the new baseline for defensible identity governance.
Context-aware access is the right named concept for this shift. It describes the move from generic permissioning to decisions that incorporate agent, user, tenant, MCP server, and target service context before granting access. The article points toward a governance model where the identity claim is only valid inside a specific operational frame, which is exactly what compliance teams need to reconstruct after the fact. Practitioners should assume that context, not identity alone, determines whether an AI action is defensible.
Human oversight remains necessary, but it now functions as evidence in the chain rather than a substitute for it. The strongest part of the article is the link between expert evaluation and operational identity control, because each proves a different control objective. Human reviewers validate quality and boundary conditions, while the identity layer proves whether the agent stayed inside them during execution. Security and compliance teams should stop asking which of those layers matters more and start designing for both.
The pilot-to-production gap in AI agents is an assurance gap, not a capability gap. The article's survey signal shows many organisations are moving toward agents, yet far fewer have the operational controls needed to sustain them in production. That pattern usually means governance was added after enthusiasm, which creates rework in audit, legal, and security review. Practitioners should expect deployment friction until evaluation, consent, and access evidence are engineered together from the start.
From our research:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- That gap is why teams should also study OWASP Agentic AI Top 10 alongside their identity controls.
What this signals
Context-aware access is becoming the practical dividing line for AI agent programmes. As agents move from pilots to production, teams need controls that tie each action to a specific authority chain and context, not just a logged-in session. The most useful external reference point here is the OWASP Top 10 for Agentic Applications 2026, because it maps the failure modes that emerge when agent decisions, tools, and permissions are not governed together.
The governance signal is already visible in our research: 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope. That is a clear indication that access scope and evaluation scope are drifting apart, and IAM teams will need to close that gap before production use expands further.
For practitioners, the next step is to make audit evidence portable across security, compliance, and legal review. The NIST AI Risk Management Framework gives teams a common language for governance, but the control design still has to prove consent, delegation, and traceability in the agent workflow itself.
For practitioners
- Define a single audit chain for agent evaluation and access Link expert review outputs to the permissions the agent had at the moment of action, so audit teams can trace quality, authority, and scope in one record.
- Replace standing agent credentials with task-scoped access Use ephemeral credentials and policy checks that expire automatically after the task or session, especially where the agent touches sensitive systems or data.
- Require step-up approval for high-risk agent actions Add human-in-the-loop checkpoints for sensitive operations such as production database changes, regulated data access, or cross-organisational actions.
- Capture delegated authority in every agent audit trail Record whose authority was used, what context was present, what the agent accessed, and whether permissions were granted, blocked, or progressively expanded.
Key takeaways
- AI agent governance fails when evaluation quality and access authority are treated as separate control problems.
- Auditability now depends on proving delegated authority, scoped access, and post-action traceability for every sensitive agent interaction.
- Teams that delay identity controls until after deployment usually discover that compliance evidence, not model capability, is the real production blocker.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent identity, tool access, and auditability are central to this article. | |
| NIST AI RMF | The article focuses on evaluation, oversight, and traceability for AI systems. | |
| NIST CSF 2.0 | PR.AA | Identity and access assurance underpin the article's auditability theme. |
Map agent workflows to OWASP agentic risks and require explicit controls for tool use and delegation.
Key terms
- Agentic Identity: Agentic identity is the identity model used for AI systems that can request tools, access data, and take actions in production workflows. It extends identity governance beyond login events to cover delegated authority, scoped permissions, and evidence of what the agent did on behalf of a user or system.
- Ephemeral Credentials: Ephemeral credentials are short-lived access tokens or secrets granted for a limited task or session. In AI agent environments, they reduce standing privilege and make access easier to constrain, but they only work well when the surrounding policy and audit model can prove what the agent was allowed to do.
- Delegated Authority: Delegated authority is the permission a system or person grants for another actor to act on its behalf. For AI agents, it becomes an audit and accountability problem as much as an access problem, because teams must be able to prove who authorised the action and within what scope.
- Context-Aware Authorisation: Context-aware authorisation evaluates access based on more than identity alone. It considers factors such as the agent, user, tenant, target service, and operation type so the decision reflects the situation in which the request occurs, which is critical for AI systems acting across workflows.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's step-by-step view of how expert evaluation and production access controls fit into one agent lifecycle
- The specific identity provider capabilities Descope says support ephemeral credentials, policy evaluation, and step-up checks
- The survey framing around pilot-to-production friction and why many agent projects stall before rollout
- The detailed description of what a compliant audit trail needs to contain for agentic workflows
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org