AI agent control planes fail when identity visibility is missing

At a glance

What this is: This case study argues that AI agent control planes fail when organisations cannot see the non-human identities, permissions, and data paths behind the agents.

Why it matters: It matters because IAM, NHI, and emerging agent governance all depend on the same control point: knowing what each agent can access before policy, monitoring, or orchestration can be enforced.

By the numbers:

• Within 1.5 months, the organisation built approximately 400 GPTs, with 240 published and the rest left in draft.
• Astrix Security found that 10% had direct API access to external systems such as BigQuery and Atlassian.

👉 Read Astrix Security's analysis of AI agent control through non-human identities

Context

AI agent control planes are often marketed as the place where governance, monitoring, and orchestration converge, but that framing misses the operational failure point. The real problem is identity visibility: if teams cannot see the API keys, OAuth tokens, service accounts, and external integrations behind an agent, they cannot reliably govern access. That is the primary control gap this article exposes for NHI and agentic AI programmes.

In the case described, internal teams and ChatGPT-connected GPTs were created quickly across a large developer population, but ownership and access paths were not clear. That combination is typical of early agent adoption: speed rises faster than governance, and the identity layer becomes the first place where control breaks down. For related background, see the Ultimate Guide to NHIs and the OWASP Agentic AI Top 10.

The implication extends beyond one vendor platform or one enterprise workflow. AI agents are not controlled by policy statements alone, and monitoring after the fact does not solve access that was never mapped in the first place. For IAM, the question is no longer whether agents exist, but whether their underlying identities are inventoryable, accountable, and enforceable.

Key questions

Q: How should security teams govern AI agents that use non-human identities?

A: They should govern the underlying non-human identities first, because the agent itself is only the execution layer. Inventory the API keys, OAuth tokens, and service accounts attached to each agent, assign ownership, and enforce approval for sensitive connections. Without that identity mapping, policy and monitoring cannot reliably constrain access.

Q: Why do AI agents complicate IAM and NHI controls?

A: AI agents complicate IAM and NHI controls because they can scale faster than entitlement review and attach to many systems through reusable credentials. The result is hidden access paths, unclear ownership, and access that persists beyond the person who created the agent. That is a governance problem, not just a tooling problem.

Q: What breaks when an AI agent is connected to production data with a shared credential?

A: The access boundary breaks because one credential can expose multiple systems and data sets beyond the intended use case. A shared credential removes attribution, makes revocation harder, and expands the blast radius if the agent is misconfigured or over-permissioned. In practice, the organisation loses the ability to prove that access stayed within scope.

Q: What should organisations do before approving more AI agents?

A: They should require ownership, inventory, and access scoping for every agent before broader rollout. That means documenting which non-human identities the agent uses, which systems it can reach, and which data sources it may touch. If those three items are not known, the organisation does not yet have enforceable governance.

Technical breakdown

Why AI agent control planes fail at the identity layer

A control plane can coordinate agents, but coordination is not authorization. AI agents execute through non-human identities such as API keys, OAuth tokens, and service accounts, which define the actual permissions boundary. If those identities are not inventoried and linked to the agent, the control plane sees activity without knowing the trust path behind it. That creates a structural gap between policy intent and effective enforcement. In practice, the missing layer is not observability alone but identity binding across the agent, its credentials, and its connected systems.

Practical implication: map every agent to the non-human identities it uses before relying on monitoring or policy enforcement.

How agent sprawl turns into access sprawl

The article shows how quickly agent creation can outpace governance, with hundreds of GPTs built in a short period and many left unpublished or broadly reachable. When access is delegated through shared credentials or loosely governed integrations, entitlement drift accumulates fast. This is classic NHI sprawl translated into agentic environments: more agents, more secrets, more hidden data paths, and more owners who assume someone else is accountable. The technical risk is not the number of agents alone, but the multiplication of unmanaged access edges.

Practical implication: treat agent creation as an access governance event, not just a development workflow.

What enforceable agent governance actually requires

Real control depends on tying discovery, ownership, and policy to the identity primitives behind each agent. That means discovering secrets, permissions, connected systems, and data sources, then using that inventory to define enforceable boundaries for what each agent may do. In NHI terms, this is closer to access governance than to simple telemetry. Without that binding, an organisation can detect risky behaviour but still cannot revoke or constrain the access that enabled it. The article’s core lesson is that a control plane without identity enforcement is only partial oversight.

Practical implication: use identity inventory and access enforcement as the control plane foundation, not as optional add-ons.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility is the control plane, not a supporting feature. The article shows that monitoring and orchestration do not equal governance when the organisation cannot see which non-human identities sit behind an AI agent. Access control is defined at the identity layer, so a control plane that lacks identity binding is structurally incomplete. Practitioners should treat agent governance as NHI governance first, and agent telemetry second.

Agent sprawl becomes NHI sprawl faster than most programmes expect. Hundreds of GPTs built in weeks create a governance surface that looks like application sprawl but behaves like identity sprawl. Each agent can carry its own secrets, data paths, and overbroad scopes, which makes ownership and lifecycle tracking central rather than optional. The implication is that agent adoption changes the rate at which entitlement drift accumulates across the enterprise.

Shared credentials create identity blast radius across agent workloads. When a developer connects an agent to production data using an internal credential, the access extends beyond the intended use case and into the wrong trust boundary. That is not a monitoring failure alone; it is a named concept worth tracking as identity blast radius, where one credential choice expands exposure across multiple systems. Practitioners should focus on reducing the number of agents that can inherit broad, reusable access.

NHI governance for agents now sits at the intersection of human approval, machine execution, and data exposure. The same access review discipline used for service accounts applies here, but the pace of agent creation makes delayed review cycles less effective. The field should stop treating AI agent governance as a separate problem category and start governing it as an NHI lifecycle and privilege problem with faster change velocity.

Policy language without enforceable identity control will not scale to enterprise AI adoption. The article’s strongest signal is that governance policies existed before control did, which is a common failure pattern in emerging NHI programmes. The practical conclusion is that identity ownership, permission mapping, and revocation capability must come before broad agent rollout, otherwise governance becomes descriptive rather than operative.

From our research:

• The 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• If agent governance is still being treated as a monitoring problem, 52 NHI Breaches Analysis shows why lifecycle control and credential discipline have to come first.

What this signals

Identity binding will become the differentiator between real governance and dashboard-only oversight. As AI adoption spreads, enterprises will need to prove not only that an agent exists, but which identities it can use and which systems those identities can reach. The governance programme that cannot answer that question will keep discovering risk after it has already spread.

Agent sprawl creates a faster version of the NHI lifecycle problem. A single development team can create hundreds of agent instances in weeks, which means ownership, review, and offboarding have to move at machine speed rather than annual cadence. That pressure is the practical reason to align agent governance with lifecycle thinking, not just security telemetry.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, the market is signalling that access visibility is becoming a core control rather than an adjacent feature. The same pressure will now land on AI agents, where identity inventory, entitlement review, and revocation need to operate as one control loop, not three separate projects.

For practitioners

• Inventory every agent identity Map each GPT, agent, or assistant to the API keys, OAuth tokens, and service accounts it actually uses. Do not treat the agent name as the asset owner until the underlying non-human identities are linked and documented.
• Separate agent access from developer convenience Review shared credentials, internal-use keys, and broad integrations that let one agent reach production data or external systems. Replace them with distinct, scoped identities that can be traced back to a single owner and a single use case.
• Enforce access reviews on agent-connected systems Put agent-connected data stores, SaaS apps, and development tools into the same review cycle as other high-risk NHI access. Focus on who can create, connect, and publish an agent, not just who can log in to the platform.
• Block uncontrolled data-source attachment Require approval before agents can connect to production tables, sensitive files, or admin-scoped collaboration tools. Use explicit allowlists for high-value systems so a new agent cannot inherit sensitive access by default.
• Track agent lifecycle ownership end to end Assign a named owner for creation, change, and retirement of each agent so draft objects, stale GPTs, and dormant integrations do not persist with hidden access. Lifecycle control is the only way to stop access from outliving accountability.

Key takeaways

• AI agent governance fails when organisations can observe behaviour but cannot map the non-human identities behind it.
• The case shows how quickly agent creation can outpace ownership, turning a few experimental systems into a broad access-control problem.
• The control plane only becomes real when identity inventory, scoped permissions, and revocation are enforced at the NHI layer.

Key terms

• AI Agent Control Plane: A control plane for AI agents is the coordination layer that tracks, supervises, and sometimes orchestrates agent activity. In security terms, it is only effective when it is tied to the actual identities, permissions, and data paths the agent uses, otherwise it becomes visibility without enforcement.
• Non-Human Identity: A non-human identity is any credentialed digital identity used by software rather than a person. That includes service accounts, API keys, OAuth tokens, certificates, workload identities, and agent credentials. Governance depends on knowing who owns it, what it can reach, and when it should be removed.
• Identity Blast Radius: Identity blast radius is the amount of exposure created when one credential or entitlement can reach multiple systems, data sets, or workflows. For AI agents, the term describes how a single over-scoped identity can expand risk across production tools, collaboration apps, and sensitive data sources.
• Agent Sprawl: Agent sprawl is the uncontrolled growth of AI agents, drafts, integrations, and helper workflows across the enterprise. It becomes an identity governance issue when each instance can introduce new credentials, new permissions, and new ownership gaps faster than review and offboarding can keep up.

What's in the full article

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step mapping of GPTs to identities, secrets, permissions, and connected systems.
• The first-week discovery workflow that surfaced risky agents, shared data sources, and sensitive access paths.
• The specific enforcement model used to move from visibility to revocation and policy application.
• The implementation detail behind the enterprise's internal ownership and control process.

👉 Astrix Security's full post covers the GPT inventory findings, access paths, and governance controls in detail.

Deepen your knowledge

AI agent identity governance and NHI access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic systems from the same starting point, it is worth exploring.