TL;DR: AI agents reintroduce the credential sprawl, shared secrets, and opaque delegation patterns that security teams spent years trying to eliminate, according to Riptides. Because these systems select tools at runtime and carry delegated human authority, existing IAM and secrets governance assumptions no longer hold.
At a glance
What this is: This is an analysis of why AI agents create a fresh identity problem, with runtime autonomy and delegated credentials expanding attack surface beyond traditional workload controls.
Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern actors that can change access patterns mid-session, making static provisioning, review cycles, and secrets handling less reliable.
👉 Read Riptides' analysis of AI agent identity and secretless credential management
Context
AI agent identity risk starts with a simple governance problem: the same access assumptions built for predictable workloads do not survive runtime tool selection, delegated authorization, and short-lived agent sessions. When an agent can connect to multiple systems in one task, identity becomes dynamic rather than fixed.
For IAM and NHI teams, the issue is not just credential storage. It is the gap between how access is granted and how access is actually exercised once an agent is operating autonomously across SaaS tools, cloud APIs, model endpoints, and internal systems.
Key questions
Q: How should security teams govern AI agents that can invoke multiple tools in one session?
A: Security teams should govern AI agents as decision-making identities, not just tool users. That means defining tool access, context scope, and escalation limits together, then monitoring the full execution chain for unexpected combinations of actions. If those controls are split across teams or policies, the agent can move faster than review cycles and create impact before anyone intervenes.
Q: Why do AI agents complicate least privilege in IAM programmes?
A: AI agents complicate least privilege because their useful scope is often broader than a traditional service account, but their actual authority should still be narrower at each action. The control has to move from static entitlement management to request-time decisioning, especially for tool use and downstream side effects.
Q: What breaks when AI agent access relies on long-lived secrets?
A: Long-lived secrets let AI agents carry persistent access far beyond the task they were created for. That increases theft risk, complicates offboarding, and makes it harder to prove scope at audit time. Secretless, short-lived access is safer because the credential exists only for the current task and runtime context.
Q: How can organisations make AI agent actions auditable?
A: Organisations need logs that connect each action to a specific agent identity, the delegator, the purpose, the tokens used, and the downstream systems touched. Auditability should cover the entire delegation chain, not just the final API call. If the record stops at the application layer, it will not support compliance, incident response, or accountability.
Technical breakdown
Why autonomous agent identity changes the access model
Traditional workload identity assumes the actor’s purpose, toolset, and access path are known at provisioning time. AI agents break that assumption because they decide which tools to call, in what order, and sometimes whether to spawn sub-agents or delegate tasks mid-session. That makes least privilege harder to define as a static entitlement. The real issue is not only exposure of secrets, but the inability to predict the full access path before execution begins. Once an agent can move between services on demand, access governance has to account for runtime behaviour, not just assigned permissions.
Practical implication: review which access decisions in your programme still assume predictable workloads and fixed execution paths.
How prompt injection turns delegated credentials into a credential theft problem
Prompt injection is effective because it does not need a conventional exploit chain. Malicious instructions can be embedded in content the agent processes, causing the agent to reveal or misuse credentials that it already holds or can reach. In agentic systems, this becomes a credential governance issue as much as an application security issue, because the agent is often operating with delegated human authorization. If the actor can be convinced to follow hostile instructions, the boundary between approved use and credential abuse collapses inside the workflow itself.
Practical implication: treat any agent that can read untrusted content as a potential credential exposure path, not just a model safety concern.
Why secretless architectures matter for AI agent security
Secretless architecture removes the credential from the agent’s address space and shifts enforcement below the application layer. In the model described here, the kernel mediates access, verifies identity, and injects credentials at request time so the agent never stores the real token in memory, config, or environment variables. That changes the attacker’s task from stealing a visible secret to trying to defeat the enforcement layer itself. For AI agents, this is a structural control, not a hygiene improvement. It directly addresses the trust problem created when autonomous software can be prompted into disclosing its own access material.
Practical implication: prioritize architectures that keep real credentials outside agent reach, especially where prompt injection or delegation is in play.
Threat narrative
Attacker objective: The attacker aims to convert an agent's delegated access into unauthorized control over the services and data that agent can reach.
- Entry occurs when an attacker injects malicious instructions into content the agent processes, such as prompts, documents, or external tool outputs.
- Escalation happens when the agent follows the hostile instruction path and discloses or reuses delegated credentials to reach connected services.
- Impact follows when the attacker uses those credentials to access cloud APIs, SaaS tools, or internal systems under the agent's or user's authority.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agents expose an identity assumption collapse, not just a secrets problem. Least privilege was designed for actors whose access path could be bounded at provisioning time. That assumption fails when an agent chooses tools at runtime, spawns sub-agents, and changes its access pattern inside a single task. The implication is that IAM programmes must rethink how privilege is defined for actors whose intent is not fully knowable in advance.
Secretless enforcement is the right response to a trust model that no longer scales. The core issue is not whether secrets are rotated faster, but whether the agent should hold the real credential at all. Once credentials sit inside the agent process, prompt injection becomes a direct path to credential exposure. Practitioners should treat this as a structural governance boundary, not a tuning problem.
Dual-identity auditability is becoming mandatory for agent governance. Security teams need to know which agent acted, which human it represented, and under what policy. That requirement crosses IAM, PAM, and NHI governance because delegated authorization is now moving through autonomous software rather than through a stable human workflow. Practitioners should demand separate accountability for workload identity and delegated user identity.
Runtime verification is now more relevant than launch-time trust for agentic workloads. Traditional workload identity models often certify a process once and then rely on that initial trust for the certificate lifetime. Agents can drift, delegate, or change behaviour long before a review cycle catches up. The practical conclusion is that identity governance for agents must be continuous, not point-in-time.
Named concept: identity blast radius. In agentic systems, the blast radius is no longer defined only by the secret or account granted at setup. It expands with every tool, model endpoint, and delegated service the agent can touch during execution. That makes access containment a runtime property, not merely a provisioning decision. Practitioners should evaluate agent programmes by how far compromised behaviour can travel in-session.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why delegated non-human access is so hard to govern in practice.
- For a broader breach lens, 52 NHI Breaches Analysis shows how identity gaps turn into repeatable compromise patterns.
What this signals
Identity blast radius: agentic systems expand the scope of compromise because one actor can chain multiple tools, credentials, and services in a single session. That makes the governance question less about whether an access policy exists and more about how far a compromised session can travel before it is contained.
With 96% of organisations storing secrets outside of secrets managers in vulnerable locations such as code, config files, and CI/CD tools, per Ultimate Guide to NHIs, agent programmes that still expose real credentials to the runtime are inheriting a problem the industry has not solved at scale.
For practitioners, the forward signal is clear: agent governance will converge with NHI governance, workload identity, and PAM because delegated authority is now moving through software that behaves differently from traditional service accounts. Teams that can separate workload identity from delegated user context will have a cleaner path to revocation, investigation, and policy enforcement.
For practitioners
- Map every agent-held credential path Inventory where real credentials still reach the agent process, including environment variables, memory, config files, and SDK caches. Then classify each path by the services it can reach and the human or workload identity behind it.
- Separate delegated user access from agent workload identity Require each agent action to be auditable as two identities: the workload identity that executed the request and the human identity on whose behalf it acted. This makes abuse, revocation, and investigation materially clearer.
- Prioritise secretless request mediation for high-risk agents Move the real token or secret out of the agent’s reach and enforce access at a layer the agent cannot tamper with. Focus first on agents that can read untrusted content or connect to third-party SaaS and cloud APIs.
- Re-test access review assumptions for autonomous workloads Check whether your access certification process can actually observe and revoke access that may exist only for seconds. If the answer is no, redesign governance around runtime enforcement rather than periodic review.
Key takeaways
- AI agents are forcing IAM teams to reconsider assumptions built for predictable workloads, because runtime tool selection changes the access model inside a single session.
- Delegated credentials and prompt injection create a direct path from content ingestion to credential abuse when the agent can reach real secrets.
- Governance will improve fastest where organisations keep real credentials out of agent reach and audit both the agent identity and the user it represents.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article centers on agent runtime behaviour and prompt-injection-driven credential abuse. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The post focuses on non-human identities and secret exposure in agent workflows. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access governance are central to the article's argument. |
| NIST Zero Trust (SP 800-207) | The article argues for continuous verification instead of point-in-time trust. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0002 , Execution | Prompt injection and credential disclosure map to credential access and execution abuse patterns. |
Apply zero-trust principles to agent sessions so access is continuously verified and revoked when posture drifts.
Key terms
- Agentic AI Identity: The complete set of credentials, permissions, and governance controls applied to an autonomous AI agent — covering authentication, authorisation, action logging, and access revocation. Distinct from traditional NHI because agent identities are often ephemeral, delegated, and multi-hop.
- Delegated Authorization: A model in which an application is allowed to act on a user’s behalf after explicit approval. In SaaS environments, delegated authorization is powerful but risky because excessive scope or weak revocation can turn a routine integration into durable non-human access.
- Secretless architecture: A secretless architecture is a model where applications and workloads authenticate with identity instead of handling reusable credentials directly. The secret may still exist in the system, but it is issued, used, and revoked behind the scenes so the workload never sees it.
- Identity Blast Radius: The amount of damage a compromised identity can cause across systems, data, and infrastructure. In NHI environments, it is shaped by permissions, network reach, and administrative capability rather than by the credential alone. Reducing blast radius is a containment strategy that limits lateral movement and data exposure.
What's in the full article
Riptides' full article covers the operational detail this post intentionally leaves for the source:
- Kernel-level enforcement flow showing how requests are intercepted and authenticated without exposing the real secret.
- Dual-identity handling details for workload identity and delegated user identity across agent sessions.
- Continuous posture verification logic for detecting drift, binary changes, or suspicious runtime behaviour.
- Deployment implications for Linux-based agent environments without changing agent code.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org