AI agent discovery needs both network and identity context

At a glance

What this is: Astrix Security and Fortinet describe an integration that correlates network telemetry with identity context to improve discovery and risk assessment for AI agents and MCP servers.

Why it matters: For IAM and NHI teams, the issue is not just detection but attribution, because unmanaged agents can use valid credentials while remaining invisible in identity-only monitoring.

👉 Read Astrix Security's analysis of AI agent discovery across network and identity layers

Context

AI agent governance fails when visibility is split between network activity and the identities that authorize it. In practice, security teams may see outbound traffic without knowing whether it came from a sanctioned workload, a local coding assistant, or a shadow agent using a privileged service account.

The core NHI problem is attribution. If an agent can authenticate with OAuth apps, service accounts, API keys, or personal access tokens, then discovery must join transport signals to identity records before policy, ownership, or blast radius can be assessed. For the broader control model, see the Ultimate Guide to NHIs.

Key questions

Q: How should security teams govern AI agents that use non-human identities?

A: Start by tying each agent to a named owner, a credential type, and a permission scope. Then enforce continuous review of activity, because AI agents can change behaviour without changing identity. Governance works best when discovery, inventory, and access review operate together, not as separate processes.

Q: What is the difference between network detection and identity-based discovery for AI agents?

A: Network detection tells you that something connected and exchanged traffic. Identity-based discovery tells you which non-human identity was used, what it could access, and who is accountable for it. The second model is stronger for governance because it supports ownership, privilege review, and remediation.

Q: When does shadow AI become an access governance problem?

A: Shadow AI becomes an access governance problem as soon as the agent can authenticate to enterprise systems with real credentials. At that point, the issue is no longer only discovery. It is privileged access, revocation, and auditability, especially if the agent can reach production or sensitive data.

Q: Why do AI agents complicate zero trust architecture assumptions?

A: Zero trust assumes every access request is continuously verified, but AI agents can make frequent, autonomous requests using credentials that appear legitimate. That makes ownership, context, and privilege scope just as important as authentication. Teams need continuous identity validation and least privilege for the agent itself.

How it works in practice

Why network telemetry alone misses AI agent identity risk

Network telemetry shows where traffic went, what protocol was used, and which systems were contacted. It does not reveal the business identity of the actor behind the session, especially when the actor is a locally run AI agent or an unmanaged automation path. That is why network-only controls can confirm activity but still leave the ownership, privilege, and intent questions unanswered. For AI agents, the gap is not just detection. It is the inability to link a session to a non-human identity and the permissions that identity carries.

Practical implication: Treat firewall logs as discovery signals, not as complete evidence of agent governance.

How identity context changes NHI discovery and risk scoring

Identity context binds activity to the NHI behind it, such as an OAuth application, service account, API key, or personal access token. Once that binding exists, security teams can evaluate permissions, access scope, first-seen time, ownership, and policy violations in one place. That is materially different from raw inventory. It moves the control point from simple detection to governance, because the same agent can look low-risk or high-risk depending on whether it has write access, production reach, or no accountable owner.

Practical implication: Prioritise systems that correlate activity to identity, privilege, and ownership in the same workflow.

What continuous discovery means for shadow AI and MCP servers

Continuous discovery matters because unmanaged agents and MCP servers often appear outside formal registration paths. If an agent is created locally or deployed without security approval, platform dashboards will not see it unless another control observes its outbound behaviour. In this model, network logs become the trigger for investigation, while identity enrichment determines whether the activity is official, unofficial, or deprecated. The result is a living inventory rather than a point-in-time list, which is essential when agent behaviour changes quickly.

Practical implication: Use continuous discovery to find unregistered agents and inactive servers before they become persistent blind spots.

NHI Mgmt Group analysis

Network-to-identity correlation is becoming the baseline control for AI agent governance. Security teams can no longer rely on endpoint visibility or identity inventory alone because agent activity is distributed across transport, cloud, SaaS, and DevOps layers. A control model that cannot bind traffic to the NHI behind it leaves ownership and privilege unresolved. The practical conclusion is straightforward: discovery must be correlation-first, not tool-silo-first.

Shadow AI is an NHI problem before it is an AI problem. Unmanaged agents matter because they authenticate, inherit permissions, and act with execution authority. Once that happens, the risk profile looks like any other non-human identity issue, including excessive privilege, weak ownership, and incomplete offboarding. Teams should therefore govern agents through the same lifecycle discipline they use for other privileged NHIs.

Identity blast radius is the right concept for prioritising agent risk. The most dangerous agent is not always the noisiest one, but the one whose credentials can reach production, SaaS admin planes, or data-rich systems. By linking network observations to accessible resources, practitioners can focus remediation where compromise would spread fastest. The lesson is to rank agents by reachable impact, not by deployment novelty.

Continuous auditability is now part of operational NHI hygiene. If an organisation cannot reconstruct which agent did what, under which credentials, and with whose approval, then it cannot defend the access decision later. That matters for incident response, compliance, and internal control reviews alike. The field should treat auditable agent inventories as a minimum requirement, not a premium feature.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For the wider NHI control model, Ultimate Guide to NHIs shows why ownership, lifecycle, and revocation have to be designed together.

What this signals

Identity correlation will become a core control pattern for agent governance. With 96% of technology professionals identifying AI agents as a growing security threat, the pressure on IAM teams is moving from inventory hygiene to runtime verification. Programmes that cannot connect activity, identity, and ownership will struggle to separate sanctioned automation from shadow AI.

Identity blast radius is the lens that separates useful discovery from noise. The right question is not whether an agent exists, but what it can reach and whether that reach is defensible. For teams already mapping NHI exposure, the next step is to bring agent traffic, credential scope, and data access into one review cycle.

Security programmes that still treat AI agents as an app-layer issue will miss the governance implications. The more durable model is to manage agents as non-human identities with continuous access review, revocation paths, and clear accountability.

For practitioners

• Implement network-to-identity correlation for agent traffic Join firewall or proxy logs to identity records so each AI agent session can be tied to an owner, credential type, and permission scope.
• Inventory unmanaged agents and MCP servers continuously Use outbound connection telemetry to detect locally run agents and undocumented MCP servers, then classify them as sanctioned, unsanctioned, or deprecated.
• Rank agent risk by reachable blast radius Prioritise agents with write access, production access, or broad SaaS permissions before reviewing low-impact read-only integrations.
• Require ownership for every non-human identity Do not accept an agent or service account that lacks a named human owner, a documented purpose, and a revocation path.

Key takeaways

• AI agent discovery is incomplete unless network activity can be tied back to the non-human identity behind it.
• The risk grows when agents operate with valid credentials, broad permissions, and no clear owner, because governance gaps become access gaps.
• Practitioners should shift from point-in-time inventory to continuous correlation, risk ranking, and revocation-ready ownership records.

Key terms

• Non-Human Identity: A non-human identity is any machine or software credential used to access systems on behalf of an application, workload, or agent. In practice this includes service accounts, API keys, tokens, certificates, and AI agents, all of which need ownership, scope, and revocation control.
• Shadow AI: Shadow AI is an AI agent or automation path that exists outside formal security oversight. It may be locally run, self-provisioned, or otherwise undiscovered, which makes its permissions, data access, and accountability difficult to verify until another control surfaces it.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if abused or compromised. For non-human identities, it is measured by reachable systems, write privileges, and the sensitivity of the data or admin planes the credential can touch.
• Network-to-Identity Correlation: Network-to-identity correlation is the practice of binding traffic telemetry to the credential or non-human identity behind it. This turns raw connection data into governance evidence, allowing teams to evaluate ownership, privilege, and policy violations in the same workflow.

What's in the full announcement

Astrix Security's full post covers the operational detail this analysis intentionally leaves for the source:

• Exact log flow for forwarding permitted HTTPS traffic from FortiGate NGFW into the Astrix platform via syslog
• The five discovery outputs, including shadow AI, MCP server inventory, and risk scoring by access scope
• How the integration records activity history, ownership status, and policy findings for audit reviews
• The vendor's description of how network events are enriched into identity context across cloud, SaaS, and DevOps tools

👉 Astrix Security's full post covers the correlation workflow, discovery outputs, and audit inventory details

Deepen your knowledge

AI agent governance, identity correlation, and privilege control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for shadow AI and agent activity, it is worth exploring.