TL;DR: AI agents are already in use at 91% of organizations, yet only 10% have a well-developed management strategy and nearly half lack formal governance, according to Okta and The Times. The governance gap is now an identity risk, because autonomous agents operate continuously with permissions and data access that legacy IAM was not built to constrain.
At a glance
What this is: This is an editorial analysis of the AI agent governance gap, showing that adoption is far ahead of identity, authorization, and lifecycle controls.
Why it matters: IAM and NHI practitioners need to treat AI agents as governed identities, because unmanaged autonomy turns access sprawl into operational risk.
By the numbers:
- 91% of organizations are already utilizing AI agents according to the 2025 Okta at Work report.
- only 10% have a well-developed strategy for managing these non-human identities.
👉 Read Okta's analysis of AI agent identity governance and control gaps
Context
AI agent identity governance is becoming a core IAM problem because autonomous software now acts with execution authority, tool access, and continuous access to data. The issue is not whether agents can be useful, but whether enterprises can identify, authorize, and revoke them with the same discipline they apply to workforce identities.
The article argues that traditional IAM breaks down when identities do not log in and log out like humans, use long-lived secrets, and chain API calls without supervision. For teams building NHI controls, this is a familiar pattern, and the Ultimate Guide to NHIs is the most direct reference point for lifecycle, visibility, and rotation basics.
Key questions
Q: How should security teams govern AI agents as non-human identities?
A: Security teams should govern AI agents as managed non-human identities with explicit ownership, scoped permissions, lifecycle controls, and fast revocation. The key is to treat each agent like a high-velocity workload identity rather than a one-time application integration. That means discovery, inventory, least privilege, rotation, and offboarding all need to be part of the operating model.
Q: When does AI agent access become a privilege risk?
A: AI agent access becomes a privilege risk when credentials persist beyond the task, permissions exceed the workflow, or the agent can chain actions across systems without human review. At that point, the concern is not just access, but blast radius. The safest boundary is the smallest set of actions needed for the shortest possible time.
Q: What is the difference between human IAM and AI agent governance?
A: Human IAM assumes interactive sessions and predictable user behavior. AI agent governance must account for autonomous execution, tool use, continuous activity, and machine speed. That difference changes the control model: teams need runtime policy, strong revocation, and data-level authorization, not just login controls and periodic reviews.
Q: Should organisations prioritise secrets rotation or policy controls first for agents?
A: Organisations should do both, but secrets rotation usually needs to come first if agents already rely on long-lived credentials. Rotation reduces immediate exposure, while policy controls limit what an agent can do after it authenticates. If you only do one, the attack surface remains too large for meaningful governance.
Technical breakdown
Why AI agent identity governance fails legacy IAM
Traditional IAM assumes a human session model: authenticate, act, then end the session. AI agents do not fit that pattern because they can run continuously, call multiple APIs, and retain access across tasks. That creates a mismatch between identity issuance and actual runtime behavior. If access is granted as a blanket entitlement, the control plane cannot distinguish between a safe action and an overreach. The result is not just more access, but less contextual certainty about who or what is acting on behalf of whom.
Practical implication: Treat agent identities as runtime entities with explicit ownership, context, and revocation paths.
Secrets, tokens, and the problem of durable trust
The article highlights hard-coded API keys, long-lived tokens, and service account overprovisioning as the practical weakness behind agent deployments. These are NHI patterns, not abstract risks. A credential that survives far longer than the task it was meant for becomes durable trust debt, because compromise remains useful long after the original workflow changes. Rotation helps, but only if the organization can inventory where the secrets live, who can use them, and how quickly they can be revoked when behavior changes.
Practical implication: Inventory every agent credential, shorten its lifetime, and align rotation with actual task scope.
Fine-grained authorization for retrieval and action paths
Agents that use retrieval augmented generation or chained tool access need authorization at a more granular level than application-wide allow lists. Coarse-grained controls may permit the agent to connect, but they do not control which records, documents, or actions it can reach inside the workflow. That is where data-level policy, relationship-based access, and contextual approval steps matter. The technical issue is not simply access to a tool, but the path from prompt to data to action.
Practical implication: Apply data-level and action-level policy controls, not just app-level access approval.
Threat narrative
Attacker objective: The attacker wants to convert a single agent credential into repeated, high-speed access across multiple systems and data sets.
- Entry occurs when developers hard-code API keys or issue long-lived tokens for an agent to reach tools and data sources.
- Escalation follows when the agent is over-provisioned with broad service account permissions that exceed the task scope.
- Impact occurs when a compromised agent can chain API actions at high speed across systems and widen the blast radius far beyond a human session.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent identity governance is now an NHI problem, not a side effect of AI adoption. The article describes autonomous software with credentials, permissions, and data reach, which places it squarely inside non-human identity management. Once an agent can execute actions independently, it needs ownership, lifecycle control, and revocation just like any other machine identity. Practitioners should stop treating agent governance as a separate AI initiative.
Durable trust is the real vulnerability in most agent deployments. Hard-coded secrets and long-lived tokens create a security model where access outlives the task and often outlives the team that created it. That is trust debt, and it compounds as more agents are added. The practical lesson is that rotation, offboarding, and secret inventory are not hygiene tasks, they are control-plane requirements.
Fine-grained authorization must move closer to the data path. Agents do not just authenticate, they retrieve, summarize, and act across systems. If policy stops at the application boundary, the organization has only controlled entry, not behavior. The named concept here is the identity blast radius: how far a single compromised agent can move before controls intervene. Practitioners should design for blast-radius reduction, not just login assurance.
Shadow AI becomes a governance problem the moment builders can spin up agents faster than IT can register them. The article’s operational model assumes discovery, registry, lifecycle policy, and emergency revocation, which means teams need intake and control processes before scale arrives. That aligns with the way NHI programs mature in practice. The field should expect AI agent governance to converge with broader NHI operations.
Zero Trust only works here if identity, context, and revocation are continuous. Static trust assumptions break when agents act outside business hours, across services, and without a human in the loop. The discipline is no longer about allowing the right login, but limiting the next action. Security teams should map agent governance to Zero Trust execution, not to legacy perimeter thinking.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- For a broader control baseline, see Top 10 NHI Issues for the lifecycle and governance gaps that AI agent programmes inherit.
What this signals
Identity blast radius: AI agent programmes fail fastest when organisations can issue credentials faster than they can trace ownership. With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the governance question is no longer adoption speed but containment discipline. The reader should expect agent oversight to become a standard part of identity operations, not a specialist side task.
As agent deployments expand, the practical programme shift is toward continuous discovery, shorter credential lifetimes, and explicit approval paths for high-risk actions. That maps cleanly to Zero Trust execution and to the lifecycle controls described in the Ultimate Guide to NHIs. Teams that wait for perfect policy coverage will already be behind the operational curve.
The next control gap is not authentication alone, but proving which data an agent touched and which actions it can still take. That is where agent governance intersects with the NIST AI Risk Management Framework, especially governance, mapping, and monitoring expectations. Practitioners should prepare for audit questions about agent ownership, data reach, and revocation speed.
For practitioners
- Create a registry for all AI agent identities Record owner, purpose, permissions, connected tools, and revocation path for every agent so no autonomous identity remains unaccountable. Use the registry as the source of truth for reviews and decommissioning.
- Replace long-lived secrets with short-lived token flows Eliminate hard-coded API keys and static service account credentials wherever agents are involved. Use short-lived tokens, automate rotation, and tie issuance to a defined task or workflow window.
- Enforce data-level authorization for retrieval workflows Apply fine-grained policy to the documents, records, and APIs an agent can reach, not just the application it enters. Use contextual approval for high-risk actions that cross systems or expose sensitive data.
- Build an emergency revocation path for agent misbehavior Define how to disable agent credentials, terminate sessions, and remove tool access when behavior exceeds scope. Test the process the same way you test incident response for privileged accounts.
Key takeaways
- AI agents are operational identities, so IAM teams need lifecycle, ownership, and revocation controls rather than one-off integrations.
- The scale of the risk is already visible in the article's adoption numbers, while the control gap remains obvious in governance maturity.
- The practical response is to reduce blast radius through short-lived secrets, fine-grained authorization, and continuous discovery of unmanaged agents.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | NHI-01 | Agent identity sprawl and tool misuse map directly to agentic application risks. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets and overprovisioned service accounts are classic NHI control failures. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires continuous verification for autonomous actors and their data access. |
Apply continuous authorization checks and revoke access when agent behavior drifts from scope.
Key terms
- AI Agent: An AI agent is autonomous software that can make decisions, invoke tools, and carry out actions without a human approving every step. In security terms, it behaves like a non-human identity with runtime privileges, making ownership, scope, and revocation essential.
- Shadow AI: Shadow AI is an AI agent or model workflow that exists outside approved governance, monitoring, or inventory. These systems often appear through developer experimentation or business-led automation, which makes discovery and registration critical before access becomes unmanageable.
- Identity Blast Radius: Identity blast radius is the amount of damage a single identity can cause if it is compromised or misused. For agents and service accounts, the blast radius depends on credential lifetime, privilege scope, connected systems, and how quickly access can be revoked.
- Fine-Grained Authorization: Fine-grained authorization is access control that evaluates specific resources, actions, and context rather than granting broad application-level permission. For AI agents, this is the difference between merely connecting to a system and being limited to the exact data or action the task requires.
Deepen your knowledge
AI agent identity governance, secrets rotation, and least-privilege access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous software and service identities, it is worth exploring.
This post draws on content published by Okta: Securing AI Agents From Development to Enterprise Scale. Read the original.
Published by the NHIMG editorial team on 2025-12-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
