TL;DR: AI agent delegation creates a visibility gap between user intent, agent action, and downstream service-account access, leaving traditional IAM, PAM, and IGA unable to reconstruct who actually touched restricted data, according to Anetac. The core problem is that existing identity controls assume stable, reviewable access chains, while agentic workflows fragment accountability across runtime hops.
At a glance
What this is: This analysis shows that AI agent delegation breaks the link between human request, agent execution, and service-account access, creating an identity visibility gap that conventional control planes cannot reconstruct.
Why it matters: It matters because IAM, NHI, and governance teams need one accountable access chain across human, agentic, and non-human identities before they can safely enforce policy, audit actions, or investigate misuse.
By the numbers:
- 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Anetac's analysis of AI agent delegation visibility and identity chains
Context
AI agent delegation is the handoff of authority from a person to a software actor that can then use tools or service identities to complete a task. The problem in this article is not the existence of delegation itself, but the fact that most enterprise security stacks still cannot connect the initiating user, the agent, and the downstream service principal into one auditable chain.
That gap matters because identity governance depends on knowing who is accountable for which action, under what scope, and across which systems. When the chain breaks across CASB, proxy, IAM, and database logs, teams lose the ability to enforce least privilege, prove compliance, or decide whether a transaction was legitimate.
Key questions
Q: How should security teams govern AI agent delegation across user, agent, and service identities?
A: Security teams should govern AI agent delegation as a single access chain, not as separate login and database events. That means preserving user context through the agent, binding delegated scope to a distinct execution identity, and logging every hop so audit, policy, and incident response can trace accountability end to end.
Q: Why do AI agents create more identity risk than simple automation?
A: AI agents create more identity risk because they can decide how to complete a task, not just execute a fixed script. That makes scope, data access, and downstream delegation less predictable at runtime, which is exactly where conventional IAM assumptions about static privilege and reviewable sessions start to fail.
Q: What breaks when service principals are used behind AI agents without attribution?
A: What breaks is the link between the initiating person and the system action. Without attribution, database access may look legitimate even when it was triggered by an agent acting on behalf of a user, which undermines access reviews, forensic analysis, and policy enforcement.
Q: How can organisations reduce risk from multi-hop agent-to-agent delegation?
A: Organisations should require provenance capture at every hop, limit which identities can delegate further, and define the data boundaries each agent is allowed to reach. The goal is to prevent a primary request from expanding into an opaque chain of secondary actions that security teams cannot verify or explain.
Technical breakdown
Delegation chains and identity propagation
AI delegation usually spans multiple identity boundaries. A user starts the request, an agent interprets the task, and a service principal or token performs the actual system call. The technical failure is that most logging and policy layers record these as separate events, not as a single chain with propagated user context. Without identity propagation, downstream systems see a valid credential but not the original authority behind it. That makes policy enforcement, correlation, and forensics depend on inference instead of explicit linkage.
Practical implication: map user-to-agent-to-service-principal flows explicitly so policy engines can evaluate the full chain, not isolated hops.
Multi-hop agent-to-agent access and chain fragmentation
Agent-to-agent workflows add more hops, more credentials, and more opportunities for trace loss. Each sub-agent may use a different authentication mechanism, different data target, or different third-party API, which fragments audit trails and weakens chain-of-trust verification. Bearer tokens and static keys are especially problematic because they prove possession, not intent or delegated scope. In multi-hop systems, the technical challenge is not just access control at each point, but preserving provenance across every handoff so security teams can reconstruct the path later.
Practical implication: require provenance-aware logging and per-hop context capture before allowing agent-to-agent delegation in production.
Streaming identity vulnerability management versus periodic review
The article contrasts real-time access-chain analysis with traditional IGA snapshots and periodic reviews. That matters because delegated actions can be transient, fast, and invisible by the time a scheduled review runs. Streaming architecture captures behaviour as it happens, including unusual access paths, privilege expansion, and anomalous data movement. In identity terms, the difference is between observing a state and observing behaviour. For agentic systems, behaviour is the security signal, because the risky action may exist only briefly.
Practical implication: move from point-in-time certification to continuous identity telemetry for delegated and agentic access paths.
Threat narrative
Attacker objective: The objective is to exploit fragmented delegation so restricted data can be accessed or moved without a clear, enforceable accountability trail.
- Entry begins when a user sends a request to an AI agent that is allowed to act on their behalf, creating a legitimate delegation path into enterprise systems.
- Escalation occurs when the agent uses a service principal, bearer token, or secondary agent hop to reach restricted data or systems without preserving the original user context.
- Impact follows when the broken chain of attribution blocks detection, complicates policy enforcement, and allows sensitive data access or unintended action to go unaudited.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Delegation visibility is now the control-plane problem that legacy IAM cannot solve. IAM platforms were built to answer direct-access questions, not to stitch together user intent, agent execution, and downstream service-account activity. Once an AI agent can intermediate the request, the security team loses a clean authority chain unless identity propagation is designed into the architecture. Practitioners should treat this as a governance boundary, not a logging inconvenience.
Identity fragments become operationally dangerous when the agent becomes the broker of access. PAM protects high-risk accounts, but agentic workflows often depend on the long tail of service principals, API tokens, and delegated credentials that PAM was never positioned to correlate. IGA then arrives too late if the access path only exists for seconds or minutes. The implication is that governance has to move from account-centric review to chain-centric control.
Runtime delegation visibility should be treated as an identity blast radius issue. Once the agent can fan out into multiple systems or sub-agents, the original request can create a much wider access surface than any single policy review would reveal. That wider blast radius is not just a tooling gap, it is a discipline gap between identity governance and runtime execution. Security teams need to rethink how they define scope when the actor is a delegated software intermediary.
Audience trust assumptions fail when the system no longer knows who is really acting. The assumption that a user request maps cleanly to one accountable access path was designed for human-paced, bounded transactions. That assumption fails when an agent can re-route requests through service principals, third-party APIs, and secondary agents before any human sees the outcome. The implication is that accountability models based on static ownership need to be reworked around delegated execution rather than named user sessions.
Chain-of-trust verification must become a first-class governance object. The article's strongest contribution is not the agent narrative, but the reminder that most enterprise identity controls still cannot verify the whole delegation chain end to end. That gap becomes more severe as agent-to-agent collaboration expands. Practitioners should recognise that this is a structural identity governance problem, not a niche AI security edge case.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- NHI credentials are still a major exposure point, with 79% of organisations reporting secrets leaks and 77% of those incidents causing tangible damage.
- For a deeper control baseline, read 52 NHI Breaches Analysis for the recurring failure patterns behind real identity incidents.
What this signals
Delegation visibility will become a board-level identity metric as AI agents spread across enterprise workflows. When 33% of enterprise applications are expected to include agentic AI by 2028, teams will need to prove that every delegated path is attributable, not just functional.
Identity blast radius is the right concept for agentic programmes that reuse service principals and tokens. The practical question is no longer whether an agent can act, but how far that delegated action can travel before governance loses sight of it. That is where continuous telemetry and scoped execution identities become programme requirements, not architecture extras.
For teams building controls, the next step is to align delegated access with a Zero Trust posture and use NIST AI Risk Management Framework guidance where autonomous decisioning appears. The governance target is not just permissioning, but sustained visibility across the whole agent-to-NHI chain.
For practitioners
- Map delegated access chains end to end Inventory where a user request can pass through an AI agent, a service principal, and downstream APIs before reaching data. Preserve the full chain of attribution so security, audit, and incident teams can reconstruct who initiated, who executed, and what was accessed.
- Separate human credentials from agent execution Do not let AI agents operate under human credentials when the task crosses systems or data domains. Use scoped delegated identities so the execution path can be verified independently of the user session that triggered it.
- Add provenance to agent-to-agent workflows Require every hop to carry user context, task context, and destination context through the delegation chain. That makes it possible to detect when a sub-agent exceeds the original scope or reaches an unauthorised system.
- Replace periodic review with streaming identity telemetry Review delegated and agentic access in real time rather than waiting for scheduled IGA cycles. Short-lived misuse will not survive long enough for a snapshot-based review to catch it.
Key takeaways
- The core risk is not AI automation itself, but the loss of a provable identity chain from user request to downstream access.
- The scale problem is already visible in the data, with agentic adoption rising and most organisations still lacking full service-account visibility.
- The control implication is clear: identity governance must shift from periodic review to continuous, chain-aware attribution and telemetry.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent delegation and tool use create the exact runtime risks this framework models. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centers on non-human identities, delegated credentials, and attribution gaps. |
| NIST CSF 2.0 | PR.AA-01 | Access accountability is the core governance gap in the delegation chain. |
Tie access events to accountable identities and verify that logging preserves provenance end to end.
Key terms
- Delegation Chain: A delegation chain is the sequence of identities and systems involved when one actor acts on behalf of another. In agentic environments, that chain may include a human user, an AI agent, one or more service principals, and downstream APIs, all of which must remain attributable for governance to work.
- Identity Propagation: Identity propagation is the passing of user or session context through downstream systems so later actions remain tied to the original request. In delegated workflows, it is what prevents a valid credential from becoming an untraceable action once an agent or service account takes over execution.
- Chain-of-Trust Verification: Chain-of-trust verification is the process of confirming that each step in a multi-hop access path is authorised and consistent with the original intent. It is essential when agents, tokens, and service identities can hand work to one another without human review between hops.
- Identity Blast Radius: Identity blast radius is the maximum reach of a credential, token, or delegated identity if it is misused or over-scoped. For agentic systems, the term matters because a single request can expand into multiple systems, making the potential impact much wider than the initiating user may expect.
What's in the full article
Anetac's full article covers the operational detail this post intentionally leaves for the source:
- The detailed access-chain model showing how user, agent, service principal, and resource relationships are linked in practice
- The control-plane policy example for blocking delegated access when user context, agent activity, and target data do not align
- The multi-hop A2A workflow explanation showing how secondary and tertiary agents create additional tracing gaps
- The specific mechanisms Anetac describes for risk scoring and context injection across delegated sessions
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org