AI agent governance needs defined authority and runtime evidence

At a glance

What this is: This analysis argues that AI agent governance must move from account-centric access control to defined authority, delegation visibility, runtime drift checks, and decision evidence.

Why it matters: For IAM and NHI teams, the practical shift is toward continuous oversight of autonomous action chains that traditional certification and access reviews cannot fully reconstruct.

👉 Read Omada Identity's analysis of governing AI agents and decision-making identities

Context

AI agent governance is the problem of controlling what autonomous software can decide and do inside enterprise systems. The core issue is not simply that an agent has credentials, but that it can interpret context, chain actions, and delegate through other non-human identities while remaining inside nominal permissions.

Omada Identity frames this as a governance gap that existing IAM models do not close because they were built around accounts, entitlements, and periodic review. For teams already dealing with NHI sprawl, the post extends the same lifecycle logic into decision-making, evidence, and delegation paths rather than stopping at inventory. That is a familiar pattern in the evolution from service-account oversight to agentic control, but the operational bar is higher.

The article’s framing is typical of what practitioners are now seeing across early AI agent deployments: the risk appears inside authorized access rather than at the perimeter. That makes the governance question harder, because access reviews alone do not explain whether the agent’s full action chain was ever intended.

Key questions

Q: How should security teams govern AI agents that can make decisions on their own?

A: Security teams should govern AI agents by assigning each one a documented authority scope, an accountable owner, and explicit limits on tools, data, and actions. They should also monitor runtime behaviour continuously and preserve decision evidence as the agent works. That approach makes agent governance auditable instead of guesswork.

Q: Why do AI agents create more risk than ordinary service accounts?

A: AI agents create more risk because they can interpret context, chain actions, and delegate through other identities instead of just executing fixed instructions. A service account usually follows a stable pattern, while an agent can adapt at runtime and assemble access across systems. That makes hidden blast radius the real problem.

Q: What is the difference between access review and agent governance?

A: Access review checks whether an identity still needs permissions. Agent governance checks whether the identity stayed within its defined authority while making decisions, using other tools, and delegating across systems. In other words, access review asks who can reach what, while governance asks whether the outcome was authorised.

Q: When should organisations add continuous controls for AI agents?

A: Organisations should add continuous controls as soon as an agent can select tools, act across systems, or delegate to other non-human identities. Those capabilities create runtime drift and delegation risk that periodic certification cannot see fast enough. Continuous oversight becomes necessary once the agent can change its own action path.

Technical breakdown

Defined authority for AI agents

Defined authority is the explicit scope that tells an agent what it may do, what it may not do, and which tools and data it can use. In practice, that means documenting the business purpose, human sponsor, accountable owner, approved credentials, and review cadence before the agent begins acting. Without that boundary, downstream controls have nothing stable to compare against, because the system can only judge behavior against declared intent. This is the difference between governing a workload and governing a decision-capable identity.

Practical implication: Practitioners should treat the authorization scope as a control object, not documentation.

Delegation chains and end-to-end visibility

Agentic systems rarely act as a single identity for the full task. They assemble access by invoking tools, calling other agents, and crossing SaaS, cloud, and workflow boundaries that no individual platform sees in full. That creates a delegation chain, which is the sequence of identities and authorizations used to complete one outcome. Traditional segregation of duties assumes a human reviewer can see the whole path. With agents, the path must be reconstructed across systems, or risky combinations can look acceptable in isolation while producing an unauthorized end state.

Practical implication: Teams need unified visibility into multi-step agent workflows, not separate logs per platform.

Runtime drift and decision evidence

Runtime drift occurs when an agent’s actual behaviour diverges from the authority it was given because the environment changed, new integrations appeared, or the model chose a different path. The key control is continuous comparison between observed actions and approved scope. Decision evidence is the audit trail that shows who authorised the agent, what tools it used, which identities it delegated through, and how each action mapped to policy. Together, these controls address a basic governance problem: access logs show reach, but not intent or authorised reasoning.

Practical implication: Governance programs should alert on behaviour drift and preserve evidence as actions happen, not after an incident.

Threat narrative

Attacker objective: The objective is to steer an autonomous agent into carrying out unauthorized actions that appear legitimate from the outside.

1. entry: A user asked the Perplexity Comet browser agent to summarize a webpage, and hidden instructions on the page were able to influence the agent’s behaviour.
2. escalation: The agent followed the embedded instructions instead of the user’s request, demonstrating that content could redirect autonomous tool use without a separate credential compromise.
3. impact: The demonstration showed that an agent can be induced to execute a chain of unauthorized actions while still operating inside permissions that were never meant for that purpose.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Defined authority is the minimum viable control for AI agents. If an agent cannot be tied to a declared purpose, owner, scope, and review cadence, governance becomes forensic guessing after the fact. Identity programs have spent years learning that ownership and lifecycle are not optional for NHIs, and agents raise the stakes by adding decision-making to the same control problem. Practitioners should require authority scopes before deployment.

Delegation chains create a new blast radius that single-system reviews miss. An agent can look compliant inside one platform while combining actions across several systems into an outcome no reviewer would approve. That is why end-to-end visibility matters more than isolated entitlement checks. Practitioners should evaluate the whole chain, not just the account in front of them.

Runtime drift is the operational signature of autonomous identity risk. Agents are designed to adapt, so governance must assume their behaviour will change as soon as context, tools, or integrations change. Continuous comparison against approved authority is the only way to detect that shift early. Practitioners should move from periodic review to continuous control.

Decision evidence is becoming a board-level requirement, not a logging nice-to-have. Access logs prove reach, but they do not prove the action was authorised in context or that delegation stayed inside policy. Regulators and auditors will increasingly want traceable evidence tied to defined authority and accountable ownership. Practitioners should build evidence capture into the control plane, not into incident response.

Identity governance for agents is converging on a platform-independent control layer. Fragmented agent identity models across vendor ecosystems will reproduce the directory sprawl problem if organisations rely on them in isolation. The field is moving toward a governance layer that spans inventory, authority, delegation, drift, and evidence. Practitioners should design for cross-platform oversight from the start.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 52% of respondents say AI security decision-making power is shifting toward platform and infrastructure teams, which shows governance ownership is moving closer to operations.
• For the broader agentic AI governance picture, see OWASP NHI Top 10 for the control failures that most often follow weak identity boundaries.

What this signals

Ephemeral authority, not persistent entitlement, is becoming the right model for AI agent oversight. When agents can chain actions across platforms, static permissions leave too much room for unintended behaviour. With 67% of organisations still relying heavily on static credentials, the control problem is clearly still anchored in old IAM assumptions, according to the 2026 Infrastructure Identity Survey.

Identity governance teams should expect a shift from entitlement review to evidence review. The practical question is no longer whether an agent has access in principle, but whether its observed action path matches the authority it was given. Programs that align this work with the NIST AI Risk Management Framework will be better positioned to explain decisions to auditors and boards.

Defined authority becomes the control plane for autonomous behaviour. That concept is more useful than generic least privilege because it captures purpose, allowed actions, delegation boundaries, and review cadence in one place. Teams that operationalise it early will be able to scale agent use without losing accountability.

For practitioners

• Define authority before deployment Document each agent’s business purpose, human sponsor, accountable owner, allowed tools, permitted data domains, and prohibited actions before production rollout.
• Map delegation paths end to end Trace how an agent can combine other agents, service accounts, and tool calls to complete a task, then review the full chain as one authorization decision.
• Monitor runtime drift continuously Compare observed agent behaviour against approved scope using cloud logs, SaaS events, IAM activity, and SIEM telemetry, then constrain or suspend when drift appears.
• Capture decision evidence as actions occur Record the authority scope, credentials used, delegated identities, and policy mapping in a durable audit trail while the agent operates, not only after an alert.

Key takeaways

• AI agents change the identity problem from entitlement management to decision governance.
• The strongest evidence of risk is not credential theft alone but autonomous action inside allowed access.
• Practitioners should anchor agent controls in defined authority, delegation visibility, and continuous evidence.

Key terms

• Defined Authority: Defined authority is the documented boundary that states what an AI agent may do, what it may not do, and who is responsible for it. It usually includes purpose, owner, tools, data access, and review cadence so that runtime behaviour can be measured against an approved scope.
• Delegation Chain: A delegation chain is the sequence of identities, credentials, and tool calls an agent uses to complete a task across systems. It matters because each step may appear acceptable on its own while the combined path produces an outcome no reviewer would have approved directly.
• Runtime Drift: Runtime drift is the gap between an AI agent’s approved authority and its actual behaviour as conditions change. It appears when the agent adapts to new context, new integrations, or new instructions and begins acting outside the scope that governance originally defined.
• Decision Evidence: Decision evidence is the record that shows who authorised an agent, what authority was granted, which identities and tools it used, and how its actions mapped to policy. It is the difference between proving an agent reached something and proving it was allowed to do so.

Deepen your knowledge

AI agent governance, defined authority, and runtime evidence are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity controls from service accounts to autonomous agents, it is worth exploring.

This post draws on content published by Omada Identity: Governing AI Agents, What Changes When Identities Make Decisions. Read the original.