TL;DR: AI adoption is moving faster than security governance, and SentinelOne says unsanctioned AI usage is already tied to breaches, higher incident costs, and weak controls across the AI lifecycle. The real issue is not visibility alone, but that access review, endpoint, and interaction-layer controls were not built for agents that execute code and touch secrets.
At a glance
What this is: This is SentinelOne’s analysis of how AI and agentic AI environments need layered security across endpoint, interaction, and runtime controls, with particular focus on shadow AI and assistants that can execute code and access secrets.
Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern AI systems that behave like privileged non-human actors, not just monitor human-driven use of chat interfaces.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
👉 Read SentinelOne's analysis of agentic AI assistant coverage and AI governance
Context
AI agent governance is the problem of defining what autonomous or semi-autonomous software can access, do, and exfiltrate across infrastructure, data, and user environments. SentinelOne’s article argues that security teams can no longer treat AI as a simple browser-based user experience, because agentic assistants can run as local processes, call tools, access secrets, and operate with user-level privileges. That makes AI agent identity a governance problem, not just a monitoring problem.
The primary gap is that existing security programmes still assume AI usage is visible through web traffic, policy-bound through standard application controls, or contained by the same rules used for chatbots. SentinelOne’s framing is that those assumptions fail once an assistant can touch files, spawn shells, and invoke MCP-connected tooling. For teams building AI governance, this is a shift from content moderation to identity, runtime, and egress control.
Key questions
Q: How should security teams govern AI assistants that can execute code and access secrets?
A: Treat them as governed non-human identities, not as ordinary chat interfaces. Give them explicit ownership, inventory their runtime locations, restrict their tool and secret access, and enforce containment at the endpoint, interaction, and network layers. If an assistant can modify files or call APIs, it belongs in IAM, PAM, and NHI governance.
Q: Why do AI assistants create more risk than standard chatbots?
A: Because they can move from text generation to action. An assistant that can spawn processes, read files, and call tools turns a prompt into execution, which means a single unsafe interaction can lead to credential exposure or data exfiltration. Standard chatbot monitoring is not enough when the system can act on instructions.
Q: What do security teams get wrong about shadow AI?
A: They often look only at browser traffic and miss local processes, wrapper apps, and non-standard ports. Shadow AI is not just unsanctioned use of public chat sites. It also includes agentic tools that run on endpoints, connect to internal systems, and blend into ordinary user workflows without a visible web session.
Q: Who should own AI agent governance in an enterprise?
A: Ownership should sit jointly across IAM, security operations, and the teams running the AI workload. If no one owns the assistant’s identity, access scope, logging, and containment, the organisation ends up with policy on paper but no enforced boundary in runtime. Governance needs an accountable owner for every AI actor.
Technical breakdown
Why agentic AI assistants behave like privileged non-human identities
Agentic AI assistants are not just interfaces to a model. In the article’s framing, they can execute code, launch processes, read local files, access secrets, and call external APIs with the privileges of the user session or host process. That means they inherit the access scope of the environment they run in, but they also expand operational risk because they can combine data access and execution in a single runtime path. For identity teams, the key technical point is that these assistants sit in the same governance plane as NHI and privileged automation, even when they are launched from a user workstation.
Practical implication: classify agentic assistants as governed non-human actors, not as ordinary user-facing applications.
How multi-layer AI security controls fit together
The article describes three reinforcing planes: endpoint detection and response, AI interaction security, and agent hardening. EDR/XDR gives process, file, network, and persistence telemetry. Interaction security sits between the user and the AI to block sensitive data, prompt injection, and unmanaged usage. Agent hardening focuses on the runtime itself, verifying skills, limiting egress, and scanning for unsafe configuration. The architectural insight is that no single layer can see the whole chain. Discovery, policy enforcement, and containment each catch different failure modes, so governance has to be distributed across the AI stack.
Practical implication: align endpoint, interaction, and runtime controls to one shared AI risk inventory instead of treating them as separate projects.
Why MCP-connected tool chains increase governance complexity
When agentic tools connect through MCP servers or similar tool interfaces, the identity problem moves from simple access control to delegated capability control. The assistant no longer just returns text. It can request tool responses, consume them, and potentially act on them within the same workflow. That creates a governance boundary around tool selection, risk scoring, and approval logic. From an NHI perspective, this is especially relevant because the trust boundary now includes dynamic tool use, not just static credentials or fixed service permissions.
Practical implication: inventory every AI tool chain that can reach internal systems and apply explicit governance to each delegated capability.
Threat narrative
Attacker objective: The objective is to use an agentic assistant’s legitimate runtime privileges to reach secrets, data, and external communication paths without triggering ordinary chatbot monitoring.
- Entry occurs when an agentic assistant is present in the environment as a local process, browser extension, wrapper, or other unsanctioned AI tool with user-level access.
- Escalation follows when the assistant reads files, touches secrets, spawns shells, or invokes tools and APIs beyond the scope of a simple chat session.
- Impact is reached when sensitive data leaves the environment through non-standard egress, unauthorized tool responses, or data leakage through the interaction layer.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent governance is now an identity problem, not a tooling preference. Once an assistant can execute code and interact with systems at runtime, the question stops being whether users like the interface and becomes what identity, privilege, and audit model governs the actor. That shifts the centre of gravity from application security to IAM, PAM, and NHI oversight. Practitioners should treat agentic AI as a governed identity surface, not a productivity feature.
Runtime visibility is the named concept this market still lacks. AI adoption can be high while governance remains weak because most programmes still cannot see whether an assistant is running, what it touched, or which tool chains it invoked. SentinelOne’s layered approach reflects a broader market truth: visibility must extend from the endpoint into the interaction layer and the agent runtime, or the security team only sees fragments. The implication is that inventory without runtime telemetry is not governance.
Prompt-layer controls do not replace identity controls. Blocking unsafe content or detecting shadow AI at the interaction layer helps, but it does not answer who authorized the assistant, what privileges it inherited, or whether those privileges were bounded. That is why agentic AI security has to sit alongside identity lifecycle, not outside it. Practitioners should stop treating AI policy as a separate track from IAM and start folding it into governance for all non-human actors.
Least privilege for AI becomes meaningful only when the environment can constrain tool execution. The article’s concern about OpenClaw-style assistants shows how quickly user-level access becomes over-broad once code execution and data access live in the same session. In practice, this means the old distinction between a user tool and a privileged automation account is collapsing. Security teams should expect AI governance to converge with NHI and PAM controls.
Agentic AI exposes a governance gap that existing review cycles cannot close on their own. Access review cadences assume there is a stable artefact to certify, but agentic systems can expand, combine, and exercise privileges within one session. That means the review process may happen after the risky behaviour has already completed. The lesson for practitioners is that AI governance needs continuous enforcement, not just periodic attestation.
From our research:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- From our research: 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- From our research: For a broader view of machine identity exposure, see The 52 NHI breaches Report, which shows how persistent non-human credential issues turn into repeat incidents.
What this signals
Runtime visibility is becoming the dividing line between AI adoption and AI governance. The organisations that can inventory where agents run, what they touch, and how they communicate will be able to govern AI as a non-human identity surface. Those that cannot will keep discovering tools after the fact, which turns policy into hindsight.
With 70% of organisations granting AI systems more access than human employees, the access model is already drifting beyond human-centric governance assumptions. The practical response is to fold AI actor review into the same programme that governs service accounts, privileged access, and workload identity.
Agentic AI makes least privilege an execution problem, not just an entitlement problem. If the assistant can chain tool calls, open shells, and exfiltrate data, then the boundary has to exist at runtime. Practitioners should expect their future AI controls to look more like NHI governance, egress policy, and PAM than like conventional chatbot moderation.
For practitioners
- Inventory every AI tool running outside approved channels Search endpoints, browser extensions, wrapper apps, and local processes for agentic AI tooling. Treat anything that can call tools, access files, or reach APIs as a governed non-human actor until it is formally sanctioned.
- Bind AI usage policy to identity and egress controls Update acceptable use rules so they explicitly cover autonomous assistants, MCP-connected tools, secret access, and non-standard network paths. Then pair the policy with endpoint enforcement and blocked egress for unsanctioned assistants.
- Create one inventory for AI, secrets, and delegated access Track where assistants run, which secrets they can reach, what tools they can invoke, and who owns the workflow. This gives IAM, PAM, and SOC teams a shared view of privilege exposure instead of isolated logs.
- Operationalize behavioral hunts for agent-shaped activity Write detections for interpreter runtimes spawning shells, touching secrets, and making unusual API calls. Use those hunts to identify renamed tools, wrapper processes, and agents that evade simple signature-based discovery.
- Set containment rules before adoption scales Define when to block AI tool execution, when to require explicit user consent, and when to terminate hidden data sharing or background communication. Containment should be pre-decided, not improvised during an incident.
Key takeaways
- Agentic AI assistants collapse the line between interface and execution, which makes identity governance a first-order security issue.
- Most organisations still lack AI agent policies even as they grant these systems broad access, creating a governance gap that scales faster than awareness.
- The controls that matter most are inventory, runtime enforcement, and delegated access restraint across endpoint, interaction, and network layers.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | The article focuses on agentic AI assistants that can act on prompts and tools. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The post centres on secrets, runtime access, and unmanaged non-human actors. |
| NIST AI RMF | GOVERN | AI governance ownership and accountability are central to the article's message. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access restriction are recurring themes in the article. |
| NIST Zero Trust (SP 800-207) | Zero trust egress and continuous verification are relevant to AI tool access. |
Apply zero trust principles to AI tools, especially for tool calls, secrets, and outbound communication.
Key terms
- Agentic AI Assistant: An agentic AI assistant is a software system that can choose actions, invoke tools, and execute work at runtime rather than only generating text. In governance terms, it behaves like a non-human identity that may inherit user privileges, requiring controls for access, logging, and containment.
- Shadow AI: Shadow AI is AI tooling or agent activity running outside approved governance. It often hides in endpoint processes, browser extensions, wrappers, or untracked services, which means organisations can lose sight of where the system runs, what it touches, and whether it can reach sensitive data.
- MCP Tool Chain: An MCP tool chain is the set of tools and data sources an AI system can reach through Model Context Protocol connections. The security issue is not the protocol itself, but the delegated access path it creates, because tool responses can become actions, data transfers, or escalation opportunities.
- Runtime AI Governance: Runtime AI governance is the control of AI behaviour while the system is active, not just during procurement or policy drafting. It combines identity, telemetry, content controls, and containment so that access, data movement, and tool use remain bounded while the assistant is executing.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- Endpoint hunting queries and process-level indicators for Clawdbot, OpenClaw, and Moltbot activity
- Layer-by-layer coverage mapping for EDR/XDR, Prompt Security, and ClawSec across the AI stack
- The seven security pillars and how each maps to a distinct AI risk surface
- Recommended next steps broken into week, 90-day, and six-month action horizons
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org