AI agent identity and intent-based access management at RSAC 2026

At a glance

What this is: This RSAC 2026 brand spotlight argues that AI agents need identity governance designed around intent, not human-style historical behaviour.

Why it matters: IAM and NHI teams must treat agents as governed workload identities with explicit scope, ownership, and lifecycle controls before they scale unchecked.

👉 Read Token Security's RSAC 2026 brand spotlight on AI agent identity and intent-based access management

Context

AI agent identity is becoming an IAM problem because agents act with execution authority, not just conversational output. When an agent can call tools, reach business systems, and keep pursuing a goal after context shifts, the old assumption that identity is tied to stable human behaviour no longer holds. For NHI governance, that means access decisions must account for intent, lifecycle, and blast radius rather than only authentication.

The article frames a pattern many practitioners will recognise: agents are often discovered after deployment, not before. That is typical of modern NHI sprawl, where teams inherit autonomous software identities faster than they can inventory, classify, and govern them. The practical question is no longer whether agents exist, but whether security teams can see them, own them, and constrain them before they become persistent access paths.

Key questions

Q: How should security teams govern AI agents that can act on their own?

A: Treat each agent as a non-human identity with explicit ownership, task boundaries, and revocation rules. Grant only the tools and data the agent truly needs, then monitor for scope creep, unexpected chaining, and unused access that should be removed. Governance should start before deployment, not after the agent is already acting.

Q: What is the difference between human IAM and AI agent governance?

A: Human IAM assumes a stable user, predictable behaviour, and access tied to a role. AI agent governance has to account for autonomous action, changing paths to a goal, and tool use that can span multiple systems. The practical difference is that agent access must be bounded by intent and lifecycle, not by job title.

Q: When does intent-based access management reduce risk for agents?

A: It reduces risk when an agent can only complete a narrow task and does not need broad exploratory access. If the agent’s objective is vague, the environment is highly interconnected, or the task requires many downstream actions, intent-based control becomes harder and must be paired with stronger discovery, monitoring, and approval workflows.

Q: Why do AI agents complicate zero trust architecture?

A: Zero Trust assumes continuous verification, but autonomous agents can generate many machine-speed actions once they are authenticated. That means the security model has to verify not just identity at login, but also purpose, context, and action scope during execution. For agentic systems, continuous authorisation matters more than one-time access grant.

Technical breakdown

Why AI agent identity differs from human identity

AI agents are goal-oriented and non-deterministic, which means they may choose different paths to satisfy the same objective. Human IAM assumptions often rely on stable roles, predictable workflows, and historical behaviour, but agents can improvise across tools and systems. That makes past activity a weak basis for authorisation. For NHI governance, the critical shift is to treat the agent as an autonomous actor whose permissions must be bounded by purpose, not by observed habit.

Practical implication: Use purpose-scoped policies instead of role assignments built from prior activity.

Intent-based access management and least privilege

Intent-based access management starts with the task the agent is expected to perform, then restricts what it can reach, change, or chain together. In practice, that is closer to task-scoped least privilege than to broad identity entitlements. The architectural value is clear: if the agent only needs to read one system and write to one workflow, policy should prevent lateral tool abuse, overbroad data access, and unintended side effects. This aligns with NHI governance models that prioritise minimisation over after-the-fact monitoring.

Practical implication: Define explicit task boundaries before granting any tool or data access.

Visibility, accountability, and lifecycle control for agents

Agent governance fails when teams cannot answer three questions: what agents exist, who owns them, and when access should end. That is the same lifecycle problem seen across NHIs, but agents make it more urgent because they can continue acting without a human in the loop. Effective controls require discovery, ownership mapping, and offboarding processes that revoke credentials and permissions when the agent is retired, replaced, or repurposed. Without that, dormant agent identities become standing risk.

Practical implication: Build discovery and offboarding into the agent identity lifecycle from day one.

Threat narrative

Attacker objective: The attacker wants to exploit the agent's autonomy to reach systems, data, or actions that were never meant to be in scope.

1. Entry occurs when teams deploy AI agents with broad tool access before establishing governance or ownership.
2. Escalation follows when a goal-driven agent can chain actions across systems to satisfy a prompt or objective.
3. Impact emerges when the agent overreaches, modifying data, invoking infrastructure actions, or exposing unintended access paths.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent identity should be treated as a distinct NHI class, not as a variant of human IAM. Agents behave differently from staff accounts because they are autonomous, tool-enabled, and goal-seeking. That combination changes how access, monitoring, and revocation should work. Practitioners should stop mapping agent governance onto human-role assumptions and start designing around execution scope, not job function.

Intent-based access management is a useful named concept because it reframes authorisation around purpose and blast radius. A goal-driven agent needs permissions that are narrow enough to support the task but constrained enough to prevent chaining into unrelated systems. This is especially important when agents can act across SaaS, data stores, and infrastructure. Practitioners should use intent as the first control boundary.

Discovery before enforcement is the right operating sequence for agent governance. Many organisations will not know how many agents they have, who owns them, or which credentials they use until after deployment. That is a familiar NHI pattern, but AI agents compress the risk window because they can operate immediately. Practitioners should inventory, classify, and assign ownership before scaling policy enforcement.

Micro-agent design reduces identity blast radius more effectively than one powerful agent with broad authority. A single all-purpose agent concentrates trust, tool reach, and failure impact in one place. Narrow-purpose agents with limited permissions are easier to govern, revoke, and audit. Practitioners should prefer smaller execution domains over oversized autonomous agents wherever architecture allows it.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why agent discovery must come before policy enforcement.
• For the lifecycle angle, review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to align provisioning, rotation, and offboarding with agent governance.

What this signals

Intent-based access management: the market is moving toward task-scoped governance for autonomous software, but most enterprises still lack the inventory discipline to apply it consistently. That means agent programmes should assume discovery gaps first and policy maturity second.

With 97% of NHIs carrying excessive privileges, the broader governance lesson is that privilege creep is already the default state. Agent programmes that do not define ownership, scope, and offboarding will inherit the same exposure pattern at machine speed.

Practitioners should align agent governance with NIST AI Risk Management Framework thinking, especially accountability and ongoing monitoring. The key shift is to treat agent authorisation as a living control, not a one-time provisioning event.

For practitioners

• Inventory agent identities first Discover every AI agent, bot, and workload identity in use, then map each one to an owner, purpose, and system reach. Treat unknown agents as unmanaged NHI until proven otherwise.
• Scope access to declared intent Write policy from the task outward. Limit each agent to the smallest set of tools, datasets, and actions required to complete the declared objective, and block any cross-domain actions that are not explicitly needed.
• Tie credentials to the agent lifecycle Require provisioning, rotation, and revocation steps for every agent identity, including offboarding when an agent is retired or repurposed. Incomplete lifecycle control leaves standing access behind.
• Break large agents into smaller scopes Prefer micro-agent patterns where each autonomous component has a narrow role and limited trust zone. Smaller scopes reduce the chance that one prompt, compromise, or logic error can spread across the environment.

Key takeaways

• AI agents create an NHI governance problem because they can act autonomously across systems, not just generate output.
• Intent-based access is the right design pattern when agents need narrow task scope and limited tool reach.
• Inventory, ownership, and offboarding are the controls that determine whether agent identity becomes manageable or expands into standing risk.

Key terms

• AI Agent Identity: The identity assigned to an autonomous software entity that can act, decide, and use tools on its own. In NHI governance, it must be treated as a distinct identity class because it can execute actions continuously and at machine speed, unlike a human user session.
• Intent-Based Access Management: An authorisation approach that grants an agent only the permissions needed to complete a defined objective. It shifts control from historical behaviour to declared purpose, which reduces overbroad access and limits the damage an agent can cause if it is misused or manipulated.
• Identity Blast Radius: The maximum scope of damage an identity can create if it is compromised, misconfigured, or over-permissioned. For agents, blast radius is shaped by tool reach, data access, and the ability to chain actions across systems, so scope reduction is a primary control objective.

What's in the full article

Token Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The RSAC Conference 2026 brand spotlight conversation with Itamar Apelblat and Ido Shlomo, including the framing they used for AI agent identity.
• The platform workflow Token Security describes for discovering agents, assigning accountability, and mapping lifecycle ownership.
• The architecture discussion on how enforcement connects to agent platforms and business applications without a broker in the middle.
• The micro-agent design argument and why narrow-purpose agents reduce the risk of one powerful autonomous identity.

👉 The full Token Security post covers the RSAC conversation, governance model, and agent lifecycle approach.

Deepen your knowledge

AI agent identity governance and intent-based access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents or refining existing NHI processes, it is worth exploring.