AI agent governance is outpacing legacy IAM controls

At a glance

What this is: The article argues that AI agents have moved from experimentation to operational use, exposing a governance gap between adoption and identity controls.

Why it matters: For IAM and NHI practitioners, the key issue is that autonomous agents behave like identities but are often managed with tools and assumptions built for humans.

By the numbers:

• 91% of organizations are already utilizing AI agents according to the 2025 Okta at Work report.
• Only 10% have a well-developed strategy for managing these non-human identities.

👉 Read Okta's analysis of securing AI agents from development to enterprise scale

Context

AI agent governance is now an identity problem, not just an AI adoption problem. Agents operate continuously, call tools directly, and can chain actions across systems without the human login and logout pattern that traditional IAM assumes. That creates a mismatch for NHI governance because the thing performing work is software, but the control plane is still often built around people.

The practical consequence is a widening blind spot between deployment and control. NHI programs that already manage service accounts, API keys, and tokens have a useful starting point, but agents add context-driven authorization, autonomous action, and broader blast radius. For readers that want a broader baseline on lifecycle and access patterns, the Ultimate Guide to NHIs remains the clearest reference point.

Key questions

Q: How should security teams govern AI agents as non-human identities?

A: Start by assigning each agent an owner, a purpose, a credential source, and a defined access scope. Then enforce rotation, revocation, and logging like any other privileged NHI. If the agent can act across systems, governance must include approval paths for high-impact actions and regular review of the data and tools it can reach.

Q: What is the difference between human IAM and AI agent governance?

A: Human IAM assumes interactive sessions, predictable login events, and direct user accountability. AI agent governance must handle persistent execution, tool chaining, and machine-speed decisions. That shifts the control focus from session management to identity lifecycle, fine-grained authorization, and blast-radius reduction for autonomous software.

Q: When do AI agents create more risk than they reduce?

A: AI agents create more risk when they inherit broad permissions, reuse long-lived secrets, or can access sensitive data without task-level controls. In that state, automation increases the speed and scale of compromise rather than the quality of work. The tipping point is usually weak authorization, not the model itself.

Q: Should organisations prioritise secrets rotation or agent approval workflows first?

A: If agents already have persistent credentials, rotate and revoke those secrets first because they are the fastest path to compromise. If the agents perform high-impact actions, add approval workflows next. The best order is usually remove standing trust, then constrain what the agent can do in real time.

Technical breakdown

Why AI agents break human-centric IAM assumptions

Traditional IAM expects a person to authenticate, obtain a session, complete work, and log off. AI agents do not follow that pattern. They may run continuously, invoke APIs on behalf of users, and make decisions across multiple systems without an interactive session boundary. That changes the identity problem from login verification to ongoing authority management. For NHI governance, the core challenge is not just proving who the agent is, but constraining what it can do, when it can do it, and what data it can reach while it is operating.

Practical implication: Treat each agent as a persistent identity with scoped authority, not as a feature extension of the application stack.

How secrets and token lifecycle become agent risk multipliers

The article points to hard-coded API keys, long-lived tokens, and vault-managed OAuth lifecycles as competing patterns. The security issue is not only exposure of a secret, but the duration and breadth of trust that secret creates. If a credential can be reused indefinitely, an agent compromise becomes a durable foothold. In NHI terms, rotation, revocation, and token lifetime become primary controls because the agent’s access path is only as safe as the credential behind it. This is especially important when agent actions are automated and rapid.

Practical implication: Move agent credentials into vault-backed lifecycles with tight rotation and immediate revocation paths.

Why fine-grained authorization matters for retrieval and tool use

The article distinguishes application-level access from data-level access, which is a useful way to frame the problem. Agents using retrieval-augmented generation can surface sensitive information if authorization is too coarse, even when the user never intended broad disclosure. The same pattern applies to tool access: broad service account permissions let an agent cross trust boundaries too easily. Fine-grained authorization, relationship-based access, and policy evaluation at request time are the mechanisms that reduce overreach without stopping automation.

Practical implication: Apply policy at the point of data retrieval and tool invocation rather than relying on broad application entitlements.

Threat narrative

Attacker objective: The attacker’s objective is to convert a compromised agent identity into scalable access that can cross systems faster than human monitoring can respond.

1. Entry typically begins when developers embed hard-coded API keys or grant long-lived tokens to an AI agent so it can reach multiple tools.
2. Escalation follows when the agent is over-provisioned with broad service account permissions or application-level access that exceeds task scope.
3. Impact occurs when a hijacked agent can chain API calls across systems and expose data or perform high-velocity actions at machine speed.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent governance is becoming the next NHI control problem. The article is correctly focused on identity, not just automation, because agents create durable access paths with autonomous execution authority. That means the governance model has to include discovery, ownership, authorization, and lifecycle controls, not just security review at deployment time. Practitioners should treat agent identity as a first-class NHI category.

Static credentials create trust debt in agentic environments. Long-lived tokens and embedded keys are not just operational shortcuts, they are deferred security liabilities. The more agents rely on persistent secrets, the more the organisation accumulates hidden blast radius that cannot be reduced by application-layer controls alone. Practitioners should define secret lifetime as a governance control, not an implementation detail.

Fine-grained authorization is now mandatory for autonomous access. Coarse application-level access is too blunt when agents retrieve data, call tools, and chain decisions. The field needs a stronger expectation that agent authorization must be evaluated at the resource and action level, especially where RAG or cross-system workflows are involved. Practitioners should align policy design to task scope, not platform convenience.

Shadow AI will become shadow NHI if discovery does not keep up. The article points to unmanaged agents and unmanaged identities as the same underlying problem: assets that operate without an accountable owner. That shifts the security question from whether agents exist to whether they are registered, reviewed, and revoked like any other privileged identity. Practitioners should build discovery into the control plane, not the audit aftermath.

Identity blast radius is the right concept for agent risk. When a single agent can invoke multiple APIs, access data, and execute workflows, the relevant unit of analysis is not the account alone but the range of systems it can reach before detection. That concept helps teams prioritise controls based on impact, not just on credential type. Practitioners should map and reduce blast radius before scaling agent deployment.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still managing non-human access with incomplete inventory data.
• For lifecycle depth, review Ultimate Guide to NHIs and pair it with Top 10 NHI Issues for a practical control baseline.

What this signals

Identity blast radius: agent governance should now be measured by how far one compromised identity can move before detection. When 91% of organisations are already using AI agents, the control question is no longer adoption, it is containment across tools, data, and workflows.

For programme leaders, the near-term priority is not a standalone AI policy. It is an identity operating model that ties discovery, ownership, authorization, and revocation together, with NHI lifecycle processes extending to autonomous software. If those controls sit in separate teams, the gap will widen faster than remediation can close it.

The article also reinforces why agentic AI belongs in the same governance lane as other privileged NHI patterns. The practical bridge is to align agent controls with external guidance such as the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10, then use those mappings to harden approvals and policy checks.

For practitioners

• Inventory every deployed AI agent as an NHI Create a registry for each agent, including owner, purpose, credentials, tool access, and data scope. If the organisation cannot answer those four questions, the agent is effectively shadow AI and should be treated as an unmanaged identity.
• Replace long-lived credentials with vault-managed token lifecycles Move API keys and service credentials out of code and into controlled secret stores with rotation, revocation, and audit logging. Prioritise the credentials that can trigger cross-system actions or read sensitive data.
• Enforce resource-level authorization for agent actions Evaluate access at the document, record, or tool level instead of relying on application-wide entitlements. That is the difference between an agent that can do one task and one that can move laterally through the environment.
• Add human approval for high-impact actions Require step-up review for purchases, production changes, mass record access, or external sharing. Autonomous execution should stop where business impact becomes material.
• Build detection for abnormal agent behaviour Alert on unusual record counts, unexpected tool combinations, and access outside the agent’s normal task pattern. Fast behaviour is not always malicious, but it is always worth investigating when the actor is non-human.

Key takeaways

• AI agents should be treated as autonomous NHIs, not as a side feature of application automation.
• Persistent credentials and broad permissions turn agent speed into security blast radius.
• The fastest path to better control is tighter discovery, shorter secret lifetime, and task-scoped authorization.

Key terms

• AI Agent: An AI agent is autonomous software that can make decisions, invoke tools, and execute actions with some level of authority. In identity terms, it behaves like a non-human identity that needs ownership, scoped access, monitoring, and revocation just like other privileged machine actors.
• Shadow AI: Shadow AI is AI software or agents operating without formal approval, inventory, or governance. The risk is not just unknown software, but unknown identity behavior, because unmanaged agents can access data and tools without the accountability, logging, or policy enforcement needed for secure operations.
• Identity Blast Radius: Identity blast radius is the range of systems, data, and actions an identity can reach if it is compromised or misused. For AI agents, blast radius is often larger than teams expect because one account can chain API calls, cross application boundaries, and amplify damage at machine speed.
• Fine-Grained Authorization: Fine-grained authorization evaluates access at a specific resource, action, or relationship level instead of granting broad application-wide permission. For AI agents, this is the difference between a task-scoped workflow and an identity that can overreach into data or actions it should never see.

Deepen your knowledge

AI agent governance, secret lifecycle control, and fine-grained authorization are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous software in a similar environment, it is worth exploring.

This post draws on content published by Okta: Securing AI agents from development to enterprise scale. Read the original.