AI agent discovery exposes the NHI visibility gap in enterprise IAM

At a glance

What this is: This is an analysis of enterprise AI agent discovery, with the key finding that traditional IAM and discovery tools miss many agents because they operate through non-human credentials and endpoint traces.

Why it matters: It matters because unmanaged agents expand the NHI attack surface faster than governance teams can review ownership, privilege, and trust decisions.

By the numbers:

• NHIs now outnumber human identities by 144:1 in enterprise environments, a 44% increase year-over-year driven by AI agents, CI/CD automation, and third-party integrations.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Astrix Security's analysis of AI agent discovery across enterprise environments

Context

AI agent discovery is becoming an identity problem before it is a tooling problem. When agents authenticate with OAuth tokens, API keys, and local endpoint traces, they fall outside the operating assumptions of traditional IAM, which still expects human users, stable ownership, and clean lifecycle records. That is why the first question for security leaders is no longer how to protect agents, but how to find them and classify them as non-human identities.

Astrix Security frames the issue as shadow AI agents that exist without review, ownership clarity, or access validation. That framing is directionally correct for NHI governance: if an organisation cannot inventory the agent, the credentials it uses, and the systems it can reach, then access governance is effectively blind. For teams already dealing with NHI sprawl, this is a typical failure mode, not an edge case.

Key questions

Q: How should security teams govern AI agents that show up outside normal IAM processes?

A: Treat them as non-human identities with a full lifecycle, not as ad hoc tools. Inventory the agent, identify the owner, classify its credential type, and review its privilege scope before allowing production access. If you cannot validate those elements, the agent should be constrained until governance catches up.

Q: Why do traditional discovery tools miss shadow AI agents?

A: Traditional discovery tools are usually designed around human users, managed assets, and central consoles. Shadow agents may appear only in OAuth grants, API keys, or endpoint telemetry, which means they never trigger a normal inventory path. The result is blind spots that persist even when monitoring is in place.

Q: What is the difference between finding an AI agent and governing it?

A: Finding an agent tells you that it exists. Governing it requires ownership, approval status, credential visibility, access scope, and a review process that can remove or restrict it when conditions change. Discovery is the input; governance is the decision system that makes the discovery operational.

Q: When should organisations restrict AI agent access instead of expanding it?

A: Restrict access when the agent lacks a clear owner, uses deprecated infrastructure, touches sensitive systems, or cannot be tied to a defensible business purpose. Broad access without those controls increases the identity blast radius and makes later remediation harder. In practice, uncertainty should trigger containment, not expansion.

Technical breakdown

How AI agent discovery works across identity, platform, and endpoint signals

AI agent discovery usually fails when teams rely on a single control plane. Agents can be officially registered in SaaS platforms, inferred from identity traces in OAuth and SSO logs, or detected through endpoint telemetry when they run locally on developer devices. The technical problem is correlation: the same agent may appear as a platform object, a token grant, and a local process. A useful discovery layer normalises these signals into one identity record so security teams can connect ownership, credential type, and reachable systems. Without that correlation, inventory fragments into separate tools and never becomes governable.

Practical implication: Build a unified discovery pipeline that correlates platform, identity, and endpoint data before assigning ownership or access risk.

Why NHI fingerprinting matters for shadow AI agents

NHI fingerprinting is the process of identifying non-human identities from the access patterns they leave behind, even when they were never formally onboarded. In practice, this means looking for OAuth grants, API key usage, SaaS audit events, and service-to-service authentication trails that reveal agent activity. The value is not just finding unknown agents. It is proving that an identity exists, then tying it to privilege scope and exposure. That distinction matters because a shadow agent can be invisible in asset inventory while still holding real access to sensitive systems and data.

Practical implication: Use identity-layer telemetry to find agents that were never registered in a central inventory but still hold active credentials.

What makes MCP servers and local agents hard to govern

MCP servers and endpoint-resident agents complicate governance because they can sit outside managed platform boundaries. A local agent on an employee laptop may talk to internal systems through a developer toolchain, while a deprecated MCP server may continue exposing tools and secrets after owners have moved on. Traditional discovery misses these cases because the activity is not rooted in a central SaaS console. The technical issue is trust sprawl: the organisation may not know whether the server is official, maintained, or still connected to production data and credentials.

Practical implication: Treat endpoint-based agents and MCP servers as first-class NHI assets, with review cycles tied to ownership and maintenance status.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent discovery is now an NHI governance function, not an inventory nicety. The central issue is not whether an agent exists, but whether the organisation can assign ownership, review privilege, and validate its trust boundary. When agents are deployed outside IT channels, the governance model that works for human accounts breaks down quickly. Practitioners should treat unknown agents as unmanaged identities until proven otherwise.

Shadow AI creates identity blast radius before it creates breach headlines. An unreviewed agent with directory write access or SaaS-level permissions can alter data, move laterally, or expose credentials without ever looking like a classic compromised account. That shifts priority from detection after abuse to containment before broad privilege is granted. The right control question is how much damage one agent can do if ownership is unclear.

Discovery only matters when it produces a defensible trust decision. Finding an agent is not the end state. Security teams need to know whether it is official, deprecated, local, remote, actively maintained, and connected to sensitive systems. That set of attributes determines whether the agent should be allowed, constrained, or removed. Practitioners should wire discovery into approval and review workflows, not into static reporting.

Ephemeral access does not solve the underlying agent trust problem. Short-lived tokens reduce exposure time, but they do not address the structural issue that many agents can authenticate, act, and persist outside normal IAM oversight. If the identity lifecycle is opaque, time-bounded credentials simply move the risk window rather than remove it. Teams should pair ephemeral access with explicit ownership and continuous review.

Visibility programs for agents are converging with broader NHI control models. The same governance patterns that matter for service accounts, API keys, and certificates now apply to AI agents that can execute tasks across systems. That means lifecycle management, privilege review, and secrets hygiene belong in the same control plane. Practitioners should stop treating agent discovery as a separate niche and fold it into NHI governance.

From our research:

• Over 5.5% of AWS NHIs hold full admin privileges, creating high-risk super-NHIs that dramatically elevate breach impact, according to The NHI and Secrets Risk Report.
• Stale NHI credentials active for 20+ years have been found in enterprise environments, with over 50% of accounts inactive in some organisations.
• A practical next step is to pair discovery with lifecycle controls using NHI Lifecycle Management Guide so ownership gaps do not turn into standing access.

What this signals

Identity blast radius: once AI agents are allowed to act through high-breadth credentials, the programme risk shifts from visibility to containment. With 33% of organisations reporting agents accessed inappropriate or sensitive data beyond intended scope, per AI Agents: The New Attack Surface, the control objective becomes limiting how far one agent can move before it is reviewed.

Agent governance will increasingly sit inside the same operating model as service account and API key management. Security teams that separate these domains will keep finding shadow behaviour after the fact, while teams that unify lifecycle, access review, and ownership will reduce the number of unknowns that reach production.

The operational signal is clear: discovery without enforcement creates better reports, not better security. Practitioners should expect AI agent inventories to grow faster than manual review capacity, which makes automated classification and exception handling a near-term requirement rather than a future optimisation.

For practitioners

• Correlate identity, platform, and endpoint data Map AI agents from SaaS integrations, OAuth traces, and EDR telemetry into one inventory so shadow agents do not remain isolated in separate tools. Prioritise the correlation of ownership, credential type, and reachable systems before any access review.
• Classify every agent by trust and maintenance status Label agents as official, unofficial, local, remote, active, or deprecated, then attach an owner and review cadence. Use that classification to decide whether the agent keeps access, moves to restricted mode, or gets removed.
• Review high-breadth permissions first Start with agents that can write to core systems, manage directories, or reach sensitive data. A single agent with broad permissions can create more operational risk than many low-risk agents, especially when the owner is unclear.
• Fold agent discovery into NHI lifecycle controls Apply provisioning, rotation, offboarding, and periodic access review to AI agents the same way you would for service accounts and API keys. That prevents agents from persisting after the person or team that created them has moved on.

Key takeaways

• AI agent discovery is fundamentally an NHI governance problem because agents authenticate and operate outside human-centric IAM assumptions.
• Shadow agents become dangerous when ownership, credentials, and privilege scope are not tied together in one inventory.
• Practitioners should anchor discovery to lifecycle controls so unidentified agents do not become standing access risks.

Key terms

• Shadow AI: Shadow AI refers to AI agents or AI-enabled tools operating in an environment without formal approval, inventory, or oversight. In practice, they often use valid credentials and legitimate platforms, which makes them easy to miss and hard to govern until their access is reviewed.
• Identity Correlation Layer: An identity correlation layer links signals from platform integrations, OAuth grants, logs, and endpoint telemetry into a single record. For NHI governance, it is the mechanism that turns scattered evidence into a usable inventory of who or what the agent is, what it can access, and who owns it.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised or overprivileged identity can cause before controls intervene. For non-human identities, it is shaped by permission breadth, credential exposure, and how many systems the identity can reach from one compromise point.

What's in the full article

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• The three discovery sources used to identify officially deployed, shadow, and endpoint-resident agents.
• The identity graph fields that link each agent to ownership, credentials, and downstream access.
• The risk scoring logic used to prioritise agents with broad permissions or unclear maintenance status.
• The demo flow for seeing how local agents and deprecated MCP servers surface in practice.

👉 Astrix Security's full post covers the discovery workflow, identity correlation, and risk scoring details.

Deepen your knowledge

AI agent discovery and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building control coverage for shadow agents and service accounts at the same time, it is worth exploring.