TL;DR: AI agents are already interacting, transacting, and making trust decisions without a reliable identity layer, and a misconfigured database exposing 1.5 million API keys showed how quickly that gap can become an accountability problem, according to Incode. The current model assumes agents can borrow human identity patterns, but autonomy breaks that assumption.
At a glance
What this is: This is an analysis of why the emerging agent economy lacks the identity layer needed to verify AI agents, bind them to owners, and preserve accountability when credentials fail.
Why it matters: It matters because IAM, IGA, and PAM teams will have to govern agent identities, not just users and service accounts, if autonomous systems are allowed to act, transact, and delegate.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
👉 Read Incode's analysis of what Moltbook reveals about the agent economy
Context
AI agent identity is becoming a governance problem because autonomous systems are now acting as first-class participants in digital workflows, but most enterprise identity models still assume a human subject behind the action. When the subject is an agent rather than a person, email-based ownership, OAuth possession, and API key possession do not provide durable accountability.
The core failure is not simply that credentials can be stolen. It is that current IAM patterns do not reliably answer who controls an agent, who is responsible when it acts, or how another agent should verify the claim before trusting it. That makes the agent economy an identity architecture problem, not just an application security issue.
Key questions
Q: How should security teams govern AI agents that act without direct human oversight?
A: Security teams should govern AI agents as identities with defined ownership, verification, and recovery requirements, not as simple application components. That means each agent needs a verified responsible party, auditable claims, and lifecycle controls that survive credential compromise. Without those controls, autonomous actions cannot be reliably attributed or contained.
Q: Why do API keys and OAuth tokens fail as identity proof for AI agents?
A: API keys and OAuth tokens prove access possession, not legitimate agency. An AI agent can be copied, impersonated, or reconfigured while the credential remains valid, which means the token does not prove who controls the agent or whether its claims are trustworthy. That is why durable ownership binding is required.
Q: What breaks when agent identity is only verified through credentials?
A: What breaks is accountability. Credential-only verification can tell you that something authenticated, but not whether the authenticating actor is the real owner, a compromised copy, or a delegated system acting outside its intended scope. In agent ecosystems, that gap turns trust into a liability.
Q: Who is accountable when an AI agent makes an unauthorised action?
A: Accountability should follow the verified owner of the agent, the organisation that authorised its use, and the governance process that allowed the action path. If those links are missing, the organisation has an identity governance failure, not just an application security issue.
Technical breakdown
Cryptographic binding between agents and owners
The article points to a missing identity primitive: a durable link between an AI agent and the human or organisation responsible for it. In human IAM, identity proofing and federation establish a trusted subject, but agent ecosystems often rely on movable credentials such as API keys or OAuth tokens. Those credentials prove possession, not accountability. If an agent can be copied, reconfigured, or impersonated, the identity relationship collapses unless the agent is bound to a verified anchor that survives credential compromise. That is the central architectural gap in the agent economy.
Practical implication: treat agent ownership as an identity binding problem, not a token storage problem.
Agent-to-agent trust verification
Agent-to-agent interaction creates a second problem: one agent needs to evaluate whether another agent is legitimate, authorised, and uncompromised before accepting claims. Traditional trust flows depend on central systems, user prompts, or static policy checks, but agents operate at machine speed and can make requests recursively. Without verifiable claims, any agent can assert authority it does not truly have. That is why agent identity infrastructure needs cryptographic assertions that can be checked locally or through trusted verification paths, rather than blind reliance on the presence of a valid credential.
Practical implication: design approval and verification flows that let agents validate claims before acting on them.
Recovery without erasing accountability
The article also highlights a recovery gap. Revoking and reissuing a credential may restore access control, but it does not restore identity certainty or responsibility tracking. For autonomous systems, the system needs a way to distinguish the legitimate owner from the compromised instance and preserve a record of what the agent did before recovery. That means lifecycle governance for agents has to include recovery mechanisms, ownership continuity, and auditability, not just reset-and-reissue operations. Otherwise, recovery breaks the evidentiary chain as soon as incident response begins.
Practical implication: build incident recovery for agents around accountability continuity, not just credential replacement.
Threat narrative
Attacker objective: The attacker objective is to impersonate agents, hijack their authority, and use exposed trust relationships to trigger unauthorised actions at scale.
- Entry occurred through a misconfigured Supabase database that exposed 1.5 million API keys, 35,000 email addresses, and private messages between agents.
- Escalation followed when exposed credentials enabled impersonation of agents and allowed attackers to execute actions on their behalf, including full AI agent takeover scenarios.
- Impact was the collapse of trust and accountability across the agent network, where compromised identity claims could cascade into unauthorised actions and disputed responsibility.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- CoPhish OAuth Token Theft via Copilot Studio — CoPhish campaign exploits Microsoft Copilot Studio agents to steal OAuth tokens via AI-assisted phishing.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agent identity binding is the missing control plane for the agent economy. The article shows that email addresses, OAuth tokens, and API keys are being used as if they were durable identity anchors, but they only prove possession. That is insufficient when agents can act independently and be cloned or impersonated at machine speed. The implication is that ownership, verification, and recovery all need a cryptographic identity layer, not a borrowed human workflow.
Cryptographic binding is more important than credential possession in autonomous systems. In human IAM, possession often maps to an accountable person, but an agent can be separated from its operator, copied, or delegated across systems without that link surviving. This is exactly where OWASP-NHI and Zero Trust thinking converge: the subject of trust is no longer the token holder, it is the runtime actor. Practitioners must stop treating valid credentials as proof of legitimate agency.
Identity verification between agents must become a prerequisite for machine-to-machine collaboration. The article’s agent-to-agent trust problem is not a future edge case, it is a scaling constraint for any platform that wants autonomous systems to transact with each other. Without verifiable claims, platforms either trust everything or verify nothing, and both options are operationally brittle. The identity security discipline now has to account for agent assertions as first-class governance objects.
Accountability collapses when the recovery path is only reset and reissue. The article makes clear that revoking a compromised agent’s credentials does not answer who acted, who approved, or which identity should be held responsible after recovery. That is a governance failure, not just an incident response gap. The implication for practitioners is that lifecycle and forensic continuity must be designed into the agent identity model from day one.
Agentic identity will move from a technical preference to a regulated control surface. The article correctly anticipates that sectors handling financial, healthcare, and regulated data will be forced to answer who is liable when an autonomous system acts. That aligns with how IAM, PAM, and NHI governance have historically become compliance issues once systems begin to exercise real authority. Practitioners should expect auditability of agent actions to become a baseline requirement, not a differentiator.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- From our research: 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- From our research: Read OWASP Agentic AI Top 10 for the control patterns that map directly to agent identity, tool misuse, and trust verification gaps.
What this signals
Agent identity governance is moving from experimental policy work to operational control work. With only 52% of companies able to track and audit the data their AI agents access, the blind spot is already large enough to affect compliance, incident response, and internal investigations. Teams that wait for a mature agent platform to appear will be late to the governance model that platform requires.
Ephemeral agent trust debt: when an organisation relies on credentials alone to manage autonomous systems, it accumulates trust relationships it cannot later explain or defend. The practical consequence is that IAM, PAM, and IGA teams will need to trace agent actions back to identity anchors, not just authentication events.
The governance pressure will intensify as agent-to-agent interactions become common in regulated workflows. In practice, that means programme owners should align agent identity controls with the NIST AI Risk Management Framework and agentic application guidance before the first significant audit or incident arrives.
For practitioners
- Map every agent to a verified owner anchor Replace loose ownership based on email addresses, OAuth tokens, or API keys with a durable linkage to a human or organisational identity anchor. Preserve that mapping through provisioning, delegation, and recovery so accountability survives credential compromise.
- Separate credential proof from identity proof Treat possession of a token or key as insufficient evidence of legitimate agency. Require additional verification that the agent is bound to a known owner and that its claims can be checked before another system accepts them.
- Build agent recovery around forensic continuity When an agent is compromised, preserve the audit trail, ownership chain, and action history before reissuing credentials. A reset that erases evidence restores access control but weakens accountability and incident reconstruction.
- Define trust checks for agent-to-agent requests Establish whether an agent may accept another agent’s claim, and under what cryptographic or policy conditions that claim is validated. Machine-speed interaction needs machine-speed verification, not trust by default.
Key takeaways
- The article shows that the agent economy is colliding with a missing identity layer, not just a missing security control.
- The scale of the problem is already visible, with 1.5 million exposed API keys and only 52% of organisations able to audit agent-accessed data.
- Practitioners need durable agent ownership, verifiable claims, and recovery paths that preserve accountability, or autonomous actions will outpace governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent identity binding and tool trust are central to the article's risk model. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centers on non-human identity binding and credential-based trust failure. |
| NIST AI RMF | GOVERN | The article raises accountability and oversight issues for autonomous systems. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control for agent actors aligns with access control governance. |
| NIST Zero Trust (SP 800-207) | The article's trust-verification problem fits zero-trust assumptions for machine actors. |
Apply NHI governance to bind agent actions to durable identity anchors and reduce possession-only trust.
Key terms
- Agent Identity Binding: The cryptographic or governance link between an AI agent and the human or organisation responsible for it. In practice, binding is what turns a movable credential into a durable accountability relationship that survives impersonation, redeployment, and recovery.
- Agent-to-Agent Trust Verification: The process of checking whether one AI agent’s claims, permissions, and authority are legitimate before another agent relies on them. It replaces blind trust with proof-based verification, which is necessary when autonomous systems negotiate and act without human prompts.
- Accountability Continuity: The ability to preserve ownership, action history, and evidentiary traceability across compromise and recovery. For autonomous and non-human identities, continuity matters because resetting access alone does not preserve who acted or why the action was allowed.
- Credential Possession: Proof that something holds a secret, token, or key, but not proof that the holder is the legitimate actor. For agents, possession is a weak trust signal because credentials can be copied, delegated, or abused without preserving the original owner relationship.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The article expands on cryptographic binding concepts for agent-to-owner relationships and how they differ from simple credential possession.
- It includes concrete questions teams should ask when building agent-to-agent verification into platform design.
- It discusses the regulatory and liability implications for financial services, healthcare, and regulated workflows.
- It outlines Incode's own identity verification framing for autonomous systems and the rationale behind it.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org