TL;DR: AI agents often run with hardcoded API keys, shared service accounts, or borrowed OAuth tokens, leaving no reliable attribution or task boundary, according to Aembit. Static IAM assumptions about known identities, predictable access, and reviewable privilege break down when agents act across multiple services in one session.
At a glance
What this is: This is an analysis of why AI agent authentication patterns break traditional IAM, and the key finding is that most deployments still rely on shared or borrowed credentials with weak attribution.
Why it matters: It matters because IAM, PAM, and identity governance teams must account for non-human actors that authenticate, call tools, and complete work faster than legacy review and revocation processes can track.
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
- 17 minutes
👉 Read Aembit's analysis of AI agent authentication and delegated access
Context
AI agent authentication is the problem of proving what an agent is, what it is authorised to do, and which user or task it is acting for. Traditional IAM assumes identities are stable, access paths are predictable, and authorization decisions can be made once at sign-in; that model does not hold when a single agent session spans multiple services and tools.
The control gap is not theoretical. Agents are frequently given hardcoded keys, shared service accounts, or inherited user tokens, which makes attribution weak and revocation uncertain. For identity governance teams, the issue sits across NHI, workload identity, and delegated access, because the same failure pattern shows up wherever a non-human actor is allowed to carry standing credentials.
Key questions
Q: How should security teams authenticate AI agents without using shared credentials?
A: Security teams should authenticate AI agents with a unique workload identity for each agent instance, then verify runtime context before issuing short-lived credentials. Shared service accounts, borrowed user tokens, and embedded API keys make attribution and revocation too weak for agentic workflows. The goal is to bind access to the specific execution, not to a generic application or team account.
Q: Why do AI agents complicate least-privilege access reviews?
A: AI agents can move across several services in one task, so a static access review often captures only part of the privilege they actually used. If the credential is shared or inherited, the review also cannot tell which agent or user initiated the action. That makes per-task scoping and reliable identity attribution more important than traditional role review alone.
Q: What breaks when an AI agent inherits a user's OAuth token?
A: The main failure is that the token outlives the task and carries user-level authority into downstream calls without clear task boundaries. If the user revokes access later, investigators may still not know which agent activity depended on that token. The safer pattern is delegated identity propagation with explicit task scope and expiry.
Q: Who should own accountability when an AI agent acts on behalf of a user?
A: Accountability should sit with both the system that issued the agent identity and the business process that authorised the delegated action. Downstream services need to see the agent identity and the initiating user context together, otherwise the access decision is incomplete. That is especially important for audit, incident response, and privilege review.
Technical breakdown
Why shared credentials fail for agent authentication
Shared service accounts, embedded API keys, and passed OAuth tokens collapse attribution because the credential becomes the actor. In an agent workflow, that means multiple tasks can be executed under one identity with no reliable way to distinguish who initiated the work, which agent instance performed it, or whether the scope was still appropriate when the task finished. The result is an audit trail that can show activity, but not accountable identity. This is a classic identity governance problem, not just an access-control one, because review and revocation both depend on knowing which actor owned the action.
Practical implication: replace shared agent credentials with per-agent identity and task-scoped issuance.
What workload attestation adds before authentication
Workload attestation answers a question that human IAM does not usually ask: is this requesting workload actually the one it claims to be, running in the expected environment? For agents, that check belongs before credential issuance because a valid-looking token is not enough to establish trust. Attestation ties the authentication request to runtime context such as platform, workload, and environment, which helps separate genuine agent execution from copied credentials or misrouted requests. In practice, attestation is the control that makes agent identity verifiable rather than merely named.
Practical implication: require runtime attestation before issuing any agent credential.
How task-scoped authorization changes agent access
Agent authorization needs to be narrower than a static role because the same agent can perform very different work across a single session. Least privilege has to be evaluated per task, not just per model or per application, because a read-only research workflow and a production-modifying workflow are not equivalent. Just-in-time access fits this pattern by giving the agent only the permissions needed for that specific action and expiring them when the task ends. That shifts the control point from standing entitlements to ephemeral access decisions, which is much closer to how agentic work actually behaves.
Practical implication: use just-in-time, task-specific authorization instead of standing agent privilege.
NHI Mgmt Group analysis
Shared credentials are the wrong identity model for agentic work: agent authentication fails when the credential is treated as the actor rather than the workload instance. That breaks attribution, revocation, and incident reconstruction because the same key may be reused across agents, users, and tasks. The implication is that governance must move from credential-centric control to instance-level identity control.
Task-scoped privilege is now the baseline for non-human identity governance: a single agent can cross multiple service boundaries inside one workflow, so standing privilege overstates what the actor needs at any given moment. The right frame is not broader access management, but shrinking the access lifetime and scope to the work itself. Practitioners should treat every agent session as a discrete identity event, not a reusable account.
Blended identity is the missing link when agents act for people: the identity assumption that downstream services only need to know one authenticated principal fails when the agent is executing on behalf of a user. If user context is lost, authorization becomes incomplete and logs become misleading. The implication is that human intent and workload identity must travel together through the call chain.
Runtime attestation and workload identity are becoming inseparable: an agent that can present a credential without proving its runtime context is still too easy to clone, route, or misuse. The governance assumption that identity is established at provisioning time was designed for stable accounts, not ephemeral agents. Practitioners need to rethink review cycles, because the meaningful control point is now at issuance and execution, not after the task completes.
MCP tool access should be treated as a privileged operation boundary: every tool invocation expands the agent's effective power, often across systems the original IAM model did not anticipate. That means agent governance cannot stop at connection-time authentication. Security teams should evaluate each tool call as a policy decision with identity, context, and task scope attached.
From our research:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to The State of Secrets Sprawl 2026.
- For a deeper NHI response model, read Guide to the Secret Sprawl Challenge for the operational controls that follow discovery.
What this signals
Ephemeral trust debt: AI agents create short-lived but high-impact credential exposure, which means identity programmes need to measure how long access can remain valid after task completion. With 28.65 million new hardcoded secrets detected in public GitHub commits in 2025 alone, the operational problem is no longer whether credentials leak, but how quickly they can be revoked and re-issued before they are reused. For lifecycle and secrets governance, the control plane has to move from review after the fact to issuance and expiry at the point of use.
The next governance gap is attribution. When an agent runs under a shared account or a passed token, security teams lose the ability to answer a basic access question: who actually authorised the action? That pushes agentic identity into the same review and offboarding discipline that mature NHI programmes already apply to service accounts and API keys, but with tighter execution timing.
Practitioners should align agent governance with the logic in the Ultimate Guide to NHIs , What are Non-Human Identities and the OWASP Agentic AI Top 10, because static identity patterns do not map cleanly to tool-using systems. The more the workflow depends on delegated access, the more important it becomes to preserve both workload identity and user context across every boundary.
For practitioners
- Replace shared credentials with per-agent identity Issue each agent instance a unique, verifiable identity tied to workload context so logs and access decisions can distinguish one execution from another.
- Require runtime attestation before access issuance Verify the workload, platform, and environment before brokering any secret, token, or certificate to an agent.
- Scope access to the task, not the agent type Grant only the permissions needed for the current action and expire them when the task ends, instead of carrying broad standing access.
- Preserve user context through delegated actions When an agent acts for a person, propagate the initiating user's authorization context alongside the agent identity so downstream services can authorise correctly.
- Treat MCP calls as privileged operations Policy-check each tool invocation and log the agent identity, task context, and resource touched so incident response can reconstruct what happened.
Key takeaways
- AI agent authentication breaks down when shared credentials, borrowed tokens, or hardcoded keys become the operating model.
- The scale problem is not only exposure, but persistence, because leaked secrets often remain valid long after discovery.
- Practitioners should move toward per-agent identity, runtime attestation, and task-scoped access before agent adoption expands further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agent identity and tool access are core agentic AI governance concerns. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared credentials and hardcoded keys are classic non-human identity failures. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous verification across service boundaries. |
Map agent authentication and tool calls to agentic controls before approving production use.
Key terms
- Workload Identity: A workload identity is a cryptographically verifiable identity assigned to a non-human runtime such as an application, agent, or service. It allows security controls to distinguish one execution from another and to make access decisions based on the workload's actual context rather than a shared account.
- Runtime Attestation: Runtime attestation is the process of proving that a workload is running in the expected environment and under the expected conditions before it is trusted. For AI agents, it helps ensure that credentials are issued only to a genuine execution instance, not to a copied or misdirected request.
- Blended Identity: Blended identity preserves both the agent's workload identity and the initiating user's authorization context through the call chain. It is useful when an agent acts on behalf of a person and downstream services need to know who asked for the work as well as which agent performed it.
- Task-scoped Access: Task-scoped access means permissions are granted only for the specific unit of work an actor is performing and are removed when that work ends. In agentic environments, this is more precise than standing privilege because the same agent may need different rights for different actions in the same session.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- The full walkthrough of workload identity, attestation, and token exchange patterns for agentic systems.
- The detailed comparison of shared accounts, borrowed user tokens, and per-agent identity models in production workflows.
- The end-to-end Blended Identity flow for preserving user context alongside agent identity.
- The MCP-specific auth patterns and privileged-operation handling that implementation teams need.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org