AI agent identity governance is outpacing yesterday’s IAM stack

At a glance

What this is: Orchid Security's analysis says AI agents are creating unmanaged identity dark matter and exposing gaps in attribution, audit, and runtime control.

Why it matters: IAM teams now need governance models that work across human, non-human, and autonomous identities because agentic behaviour changes how access is discovered, assigned, and controlled.

👉 Read Orchid Security's analysis of Gartner's guardian agent market guide

Context

AI agent identity governance is now a distinct IAM problem because agents can hold their own identities, use tools, and act in ways that are not well captured by human-centric approval and review models. The core gap is not just access volume, but the loss of clear ownership, auditability, and control once an agent begins acting at runtime.

That matters for NHI programmes because agent identities inherit many of the same failure modes as service accounts and API keys, then add dynamic tool use and context-driven behaviour. Existing IAM stacks were built to govern stable actors and predictable access paths, not identities that can repeatedly reshape what they touch in the course of a task.

Key questions

Q: How should security teams govern AI agents that can use enterprise tools?

A: Treat each agent as an identity with its own ownership, role, and approval trail. Governance should combine discovery, task-scoped access, runtime policy checks, and immutable audit logs so the agent cannot act outside its intended purpose without detection. The key is to control the action as it happens, not only when the agent is provisioned.

Q: Why do AI agents create problems for traditional IAM review processes?

A: Traditional IAM review assumes access is stable long enough to be observed, certified, and revoked. AI agents can create, use, and discard access within a single run, so periodic review often arrives after the meaningful exposure has already occurred. That is why runtime enforcement matters more than retrospective certification for agentic identities.

Q: What do organisations get wrong about agent identity attribution?

A: They often treat the human prompt as the identity, when the agent itself is the actor making tool selections and execution decisions. That mistake breaks accountability because the audit record no longer shows who owned the agent, who approved its access, and which action chain it executed. Attribution must follow the agent instance, not the user's intent alone.

Q: Who is accountable when an AI agent causes an access or compliance failure?

A: Accountability should sit with the owner of the agent, the approver of the workflow, and the team responsible for the control plane that allowed the action. In practice, that means organisations need explicit ownership, recorded approvals, and traceable logs for every agent run so responsibility is not lost across the delegation chain.

Technical breakdown

Human-to-agent attribution and identity ownership

AI agents are often assumed to operate on behalf of a person, but in practice they need their own identity objects, role bindings, and ownership links. Human-to-agent attribution means the system must record which human or service owner triggered the run, who approved the tool use, and which agent instance executed it. Without that chain of custody, accountability breaks down across IAM, audit, and incident response. This is especially important when multiple agents are embedded in SaaS, self-hosted systems, or third-party workflows.

Practical implication: map every agent identity to a named owner and preserve the approval chain for each run.

Runtime inspection and context-aware guardrails

Static permissions are not enough when an agent can choose actions at execution time. Runtime inspection evaluates whether the agent's action still matches the original intent, current context, target sensitivity, and policy thresholds before the action is allowed to continue. That shifts governance from provisioning-time control to execution-time enforcement. It also closes the gap between what was approved in principle and what is actually being done in the moment, which is where agent misuse often begins.

Practical implication: enforce policy at runtime, not only at onboarding or periodic review.

Just-in-time authorization for agent actions

Just-in-time access is a better fit for agentic systems than standing privilege because many agent tasks are narrow, time-bound, and purpose-specific. The model works only when the access grant is tied to a single task, target, and approval context, then revoked as soon as the work is complete. For AI agents, this also needs to include secrets handling, step-up approval for sensitive targets, and logging of the full action chain from agent to tool to target.

Practical implication: replace persistent access with task-scoped grants and verified revocation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity dark matter is now a governance problem, not just a discovery problem: AI agents expand the population of unmanaged identities while also making hidden access more active and more consequential. The issue is not merely that the identities are hard to find. The deeper problem is that once an agent is discovered, its behaviour can still drift faster than human review cycles can contain, which makes the identity layer itself the new control boundary. Practitioners should treat agent discovery and agent governance as one continuous discipline.

Human-to-agent attribution is the minimum viable control premise for accountability: AI agents do not inherit accountability cleanly from the person who prompted them. That assumption fails when a single agent run can chain multiple tool calls, span systems, and make decisions at runtime before any human can intervene. The implication is that governance models need to stop treating attribution as an annotation and start treating it as a first-class identity property.

Dynamic, context-aware guardrails are becoming the new least privilege for agents: Least privilege was designed for relatively stable access scopes. That assumption weakens when the actor can alter tool choice, timing, or execution path during the session. For agentic systems, privilege is no longer only about what was provisioned, but about whether the current action still fits the approved purpose, target, and risk posture. Practitioners should re-evaluate whether their controls can enforce that distinction in real time.

Runtime governance will separate agent-ready IAM from legacy identity control planes: Static review, periodic recertification, and broad standing privileges are mismatched to systems that decide and act continuously. The market is moving toward identity control planes that combine discovery, attribution, policy enforcement, and remediation in one loop. That direction validates the need for tighter orchestration, but it also raises the bar for evidence, because governance claims will need to survive real execution traces, not just policy documentation. Practitioners should expect agent governance to become a core IAM design requirement.

Identity dark matter: unmanaged agent identities hidden in plain sight: This is the named concept that best captures the category problem. AI agents amplify the invisible layer of identities that already exists in modern environments, then use that hidden access to accelerate tasks and bypass weak governance paths. The practical conclusion is simple: if the identity programme cannot see, attribute, and constrain agent activity, it cannot claim control over the environment.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• For a deeper lifecycle lens, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs for provisioning, rotation, and offboarding patterns that still underpin agent governance.

What this signals

Identity dark matter will become a board-level governance signal as agent adoption expands: When organisations cannot see most of their non-human identities, they also cannot reliably classify which agent behaviours are legitimate, delegated, or shadow. That creates a programme-level blind spot that spans IAM, PAM, and NHI governance.

The practical shift is toward control-plane thinking, where discovery, attribution, policy, and remediation are treated as a single operating loop rather than separate projects. Teams that continue to separate inventory from enforcement will find agent governance too slow to keep pace with runtime decision-making.

For practitioners building the next phase of controls, the most useful reference points are Ultimate Guide to NHIs and the OWASP Agentic AI Top 10, because the first explains the identity baseline and the second maps the runtime failure patterns that emerge when agent behaviour is not constrained.

For practitioners

• Inventory every agent identity and its owner Create a complete register of agents, where they run, which tools they can reach, and which human or system owner is accountable for each one. Include embedded, SaaS-delivered, and third-party agent instances.
• Enforce runtime guardrails on agent execution Evaluate each action against current context, target sensitivity, and policy before allowing the agent to continue. Block or step up approval when the action diverges from the approved intent or crosses a high-risk boundary.
• Replace standing privilege with task-scoped access Issue time-bound permissions for a single agent task, then revoke them when the workflow closes. Tie this to secrets handling so static credentials do not survive beyond the purpose that justified them.
• Log the full agent-to-tool-to-target chain Capture the agent identity, tool/API used, action taken, target reached, approval path, and outcome in one auditable record. Use that trace for incident response, compliance, and post-event review.

Key takeaways

• AI agent governance fails when identity, ownership, and runtime control are treated as separate problems.
• Hidden non-human identities already limit visibility for most organisations, and agentic systems make that gap more dangerous.
• The control model that matters now is task-scoped access with runtime enforcement, not periodic review alone.

Key terms

• Identity dark matter: Identity dark matter is the hidden layer of identities, entitlements, and access paths that exists but is not fully governed. In agentic environments, it includes agents, service accounts, and other non-human actors that can operate without clear ownership, visibility, or consistent policy enforcement.
• Human-to-agent attribution: Human-to-agent attribution is the practice of linking an AI agent's actions to the human or system owner responsible for initiating and governing it. It is not the same as simply logging a prompt, because accountability requires a durable chain from the actor instance through the approved workflow and into the audit record.
• Runtime guardrails: Runtime guardrails are controls that evaluate and constrain an identity's actions while it is operating, rather than only at provisioning or review time. For AI agents, they check whether an action still fits the approved purpose, target, and risk posture before the action can proceed.
• Task-scoped access: Task-scoped access is permission granted for a single purpose, bounded by time, target, and approval context. For autonomous or agentic behaviour, it is more effective than standing privilege because it narrows the exposure window to the minimum required for the work to finish.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity controls from service accounts into agentic systems, it is worth exploring.

This post draws on content published by Orchid Security: an analysis of Gartner's Market Guide for Guardian Agents and AI agent identity governance. Read the original.