TL;DR: AI agents can access multiple applications at machine speed, which turns small entitlement errors into large authorization risks and weakens least-privilege assumptions, according to Andromeda Security. The core problem is that access review and scoped authorization were designed for slower, human-paced identity behaviour, not autonomous execution.
At a glance
What this is: Andromeda Security examines how agentic AI changes authorization by combining NHI-style credentials with human-like, multi-application behaviour and machine-speed privilege use.
Why it matters: IAM, PAM, and NHI programmes have to govern agent behaviour, token scope, and delegated access together because a control model built for either humans or service accounts alone will miss the real risk.
👉 Read Andromeda Security's analysis of the agentic AI authorization challenge
Context
Agentic AI is an identity problem as much as an automation problem. These systems can act across multiple applications, choose actions at runtime, and exercise whatever privilege is available to them at machine speed, which means traditional least-privilege assumptions can fail quickly when the entitlement model is too broad.
The governance gap is not that AI agents are novel in every respect. It is that they combine NHI credentials with human-like breadth of access, while operating faster than the review, approval, and exception processes most IAM programmes rely on today.
Key questions
Q: How should security teams implement least privilege for AI agents?
A: Start by defining the smallest task the agent must complete, then scope credentials, data access, and administrative permissions only to that task. Do not mirror a human’s full access by default. If the agent can browse multiple systems, verify each permission separately and remove anything the workflow does not explicitly require.
Q: Why do AI agents create more authorization risk than standard NHIs?
A: Standard NHIs are usually narrow and predictable, while AI agents can traverse multiple applications, infer next steps, and use available privilege at machine speed. That makes small over-provisioning much more dangerous. The problem is not only access volume but runtime exploration across systems and the speed at which misuse can happen.
Q: What do security teams get wrong about shared AI agent identities?
A: They often treat shared identities as a convenience layer, but shared credentials blur accountability and weaken audit evidence. If multiple users can act through the same agent, investigators cannot reliably tie a change to one person. That also makes access review less meaningful because the effective actor is the shared service context, not the user.
Q: How can organisations tell if an AI agent is overstepping its intended scope?
A: Look for cross-application sequences that exceed the agent’s stated use case, such as read access followed by admin actions or data movement into systems the workflow never documented. The signal is not one unusual event in isolation. It is a repeated pattern of the agent using available privilege beyond the original intent.
Technical breakdown
Why agentic authorization is not just NHI access control
Agentic systems sit between classic service accounts and human users. They often use keys, tokens, or delegated credentials like an NHI, but their runtime behaviour is broader: they can traverse multiple apps, infer next actions, and attempt to use every permitted path to satisfy a goal. That matters because authorization is no longer a fixed mapping from identity to one narrow task. It becomes a dynamic boundary problem, especially when the agent can explore optional actions that a human would never attempt in the same time window.
Practical implication: treat agent permissions as behavioural boundaries, not static entitlements.
Delegated access versus shared agent identity
The article contrasts two patterns. In delegated access, the agent acts on behalf of a human and inherits a constrained slice of that user context. In shared agent identity, multiple users effectively ride the same credentials, which destroys individual auditability and expands blast radius. Shared identities also hide which human initiated a change, making investigations and access reviews harder. From an identity-governance perspective, this is where accountability and privilege scoping diverge most sharply.
Practical implication: avoid shared agent identities wherever individual attribution matters.
Why parallel authorization inside AI tools becomes fragile
The article warns against building a second, custom authorization layer inside the AI application itself. That approach duplicates policy logic, creates another misconfiguration surface, and often lags behind the source systems that actually own access. It also clashes with the reality that enterprises already struggle to answer a simpler question: who has access to what? For agentic AI, the better architectural lens is to keep policy decisions anchored in the identity and entitlement systems that already govern access, then constrain the agent to a tightly scoped use case.
Practical implication: align agent access with existing identity governance rather than inventing a parallel policy stack.
NHI Mgmt Group analysis
Agentic AI is a hybrid identity class, not just a faster NHI. The article makes clear that these systems borrow the credential model of NHIs while behaving more like human operators that can act across applications. That combination breaks the usual assumption that non-human identities are narrow, deterministic, and easy to scope. Practitioners should treat this as a new governance class, not a simple extension of service-account management.
Least privilege was designed for stable access patterns, and that assumption weakens under autonomous runtime behaviour. A human or service account is usually provisioned for a known task set, but an agent can discover optional actions and exercise them immediately when they appear useful. This is an assumption-collapse problem, not merely over-provisioning. The implication is that entitlement design has to account for runtime exploration, not just provisioning-time intent.
Shared agent identities erase the accountability model that IAM depends on. When several users interact with the same agent credentials, individual attribution collapses and audit evidence becomes ambiguous. That creates a governance gap for recertification, investigations, and privilege review because the effective actor is no longer the named user. Practitioners should recognise that accountability becomes system-level unless the delegation model preserves per-user traceability.
Cross-application behaviour is the real detection boundary for agentic risk. A single application may look normal while the agent as a whole is stitching together access across CRM, billing, data stores, and administrative APIs. That means single-app anomaly models are too weak on their own. Security teams need to evaluate whether identity monitoring can reconstruct multi-system sequences as one behavioural chain, because that is where misuse becomes visible.
Custom in-app authorisation logic shifts risk from access control to policy fragmentation. The article’s warning is not about one specific bug, but about the architectural cost of duplicating authorization decisions inside an AI layer. Once policy is split, every change in the source system, token model, or use case must be mirrored in the agent layer. Practitioners should see this as a control-proliferation problem that increases misconfiguration exposure.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security, according to the same AI Agents: The New Attack Surface report.
- That policy gap makes the case for formal agent governance stronger, which is why teams should also review OWASP Agentic AI Top 10 when designing controls for runtime decision-making and tool use.
What this signals
Runtime privilege now needs to be measured by behaviour, not entitlement count. Agentic systems can look harmless in a provisioning review and still become risky when they begin chaining actions across applications. For practitioners, the programme signal is clear: access governance, detection, and recertification have to look at what the agent did in context, not only what it was granted.
Access review cadences do not solve within-session agent misuse. When a system can discover and exercise privilege immediately, the window between grant and misuse can be shorter than the window between review cycles. That means IAM teams need telemetry that captures cross-system sequences and use cases that can be evaluated before production rollout, not only after incidents.
Agentic authorisation should be treated as a lifecycle problem as much as a control problem. Provisioning, delegation, offboarding, and exception handling all need explicit ownership because the same identity can be harmless in one workflow and over-scoped in another. Teams that already use the Ultimate Guide to NHIs for service-account governance should extend that discipline to agent behaviour without assuming the old NHI model is sufficient.
For practitioners
- Separate delegated and shared-agent patterns Map every AI agent to one of two models: delegated access on behalf of a named user, or an isolated service identity with no shared reuse. Do not allow mixed patterns inside the same workflow unless audit attribution remains intact across billing, CRM, and data access paths.
- Scope agent entitlements to the narrowest task set Review whether the agent actually needs read, write, or administrative access in each connected system. Remove any permission that exists only because the agent might infer a use case at runtime, and revalidate scope whenever the workflow expands.
- Use cross-application telemetry for detection Build monitoring around the full chain of systems the agent can touch, not isolated app alerts. Look for sequences that combine data access, administrative changes, and credential use across environments within one session, especially when the same identity spans multiple tools.
- Keep authorization decisions anchored in core identity systems Avoid reproducing policy logic inside the AI application unless there is a clear control owner and a documented reason. Use the existing IAM, PAM, and entitlement stack as the source of truth, then constrain the agent to policy-enforced boundaries rather than app-specific rules.
Key takeaways
- AI agents are not just another class of NHI. Their runtime behaviour can turn ordinary over-privilege into fast, cross-application misuse.
- The operational evidence is already clear: most organisations report AI agents acting beyond intended scope, and many still lack formal policy coverage.
- Practitioners need to govern agent identity as a delegation and lifecycle problem, with scope, attribution, and telemetry aligned to actual behaviour.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic runtime decisions and tool use are central to the article. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | The article centers on scoped credentials, token handling, and privilege boundaries. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access governance are the core control themes here. |
Align agent access reviews to PR.AC-4 and verify entitlement scope across connected systems.
Key terms
- Agentic Identity: An identity used by software that can choose actions at runtime across multiple systems. In practice, it combines NHI-style credentials with more human-like planning and execution, which makes it harder to govern with static entitlement assumptions alone.
- Delegated Authorization: A model where an agent acts on behalf of a named user and inherits only the permissions needed for that user task. The critical control point is preserving traceability and limiting scope so the agent does not inherit broader privileges than the use case requires.
- Shared Agent Identity: A single set of agent credentials used by multiple people or workflows. This creates an audit problem because the real human initiator is obscured, and it expands blast radius by making one credential set the effective access path for many actions.
- Cross-Application Behaviour: A pattern where one identity moves through several systems in a single workflow or session. For agentic AI, this is a key detection signal because risk emerges from the sequence of actions across tools, not from one application event in isolation.
What's in the full article
Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:
- The article lays out the delegated-authorization and shared-service-account patterns in more implementation detail.
- It includes the specific OAuth 2.1 and MCP authorization changes the vendor says are relevant to agent workflows.
- It expands the comparison between autonomous bots and human-interacting agents across billing, CRM, and database access.
- It shows how the vendor thinks cross-app behavioral analysis should replace single-app anomaly checks.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org