TL;DR: EchoLeak showed that Microsoft 365 Copilot could exfiltrate API keys and internal data through hidden email instructions, even after authentication and authorization succeeded, according to 1Password. The real issue is the access trust gap: identity confirms who the agent is, but not whether a runtime action still makes sense.
At a glance
What this is: This is an analysis of how EchoLeak exposed a gap between correct identity checks and unsafe AI agent behaviour at runtime.
Why it matters: It matters because IAM, NHI, and human access programmes all need controls that evaluate context at execution time, not just at login or provisioning.
👉 Read 1Password's analysis of EchoLeak and AI agent runtime trust
Context
EchoLeak is a good example of a governance assumption breaking under AI agent behaviour: authentication and authorization can both succeed and the system can still take the wrong action. In this case, hidden instructions embedded in normal-looking email were later pulled into context and executed when Microsoft 365 Copilot processed the content.
The broader security problem is not just prompt injection. It is the mismatch between user-level permissions, untrusted inputs, and runtime decision-making in AI-assisted workflows. That shifts the identity question from who logged in to how authority is exercised after login, which is where existing IAM models start to fail.
Key questions
Q: How should security teams govern AI agents that act on untrusted content?
A: Security teams should isolate untrusted content from sensitive actions, then require a fresh policy decision before any credential use, data export, or tool call that could change state. The goal is to stop hidden instructions from becoming executable intent. Runtime enforcement has to sit between context ingestion and action completion.
Q: Why do AI agents complicate traditional IAM controls?
A: AI agents complicate traditional IAM because identity and authorization only prove who the actor is and what they may access. They do not prove that a specific action is still appropriate after the agent has ingested new context, reinterpreted a task, or chained tools in a different order.
Q: What breaks when access is valid but the action is wrong?
A: What breaks is the assumption that valid permission equals safe execution. In AI-assisted workflows, an action can be fully authorized and still be unsafe if hidden instructions or bad context steer the agent into misuse. That is why governance must inspect runtime behaviour, not only permissions.
Q: Who is accountable when an AI agent discloses sensitive data?
A: Accountability sits with the organisation that defined the workflow, the owner of the sensitive system, and the team that allowed the agent to act with that level of authority. Governance frameworks should treat the runtime decision chain as an auditable control point, not an opaque model output.
Technical breakdown
How prompt injection changes the execution path
Prompt injection works when untrusted content is interpreted as instruction-bearing context by an AI system. The model may correctly authenticate the user and still follow a malicious directive embedded in email, documents, or web content. That is why this is not a login bypass. The control failure happens later, when the agent combines external content with existing permissions and then acts on it as if the instruction were legitimate. Once that occurs, the misuse is framed as ordinary, authorized behaviour by the system itself.
Practical implication: separate content ingestion from action execution so that untrusted text cannot directly drive sensitive operations.
Why user-level permissions are not enough for AI agents
Traditional IAM assumes intent is stable enough for a session-based access decision to remain valid. AI agents weaken that assumption because they can chain tools, move across systems, and re-interpret tasks after context changes. A permission that is valid at the start of a workflow may be inappropriate by the time the agent invokes a tool or retrieves data. That is the access trust gap. The system authorizes the actor, but it does not continuously evaluate whether the specific action still fits the current context.
Practical implication: treat scope and timing as separate control problems, not one access grant.
Dynamic authority and runtime enforcement for agent workflows
Dynamic authority shifts credentials from standing permissions to short-lived, task-scoped access. Patterns such as session credentials, workload identity federation, and ephemeral certificates reduce the blast radius of credential exposure, but they do not solve the judgment problem. The harder control is continuous, intent-based enforcement, where each action is evaluated against policy, context, and audit requirements at the moment it occurs. That is the architectural difference between governing access and governing execution.
Practical implication: apply time-bound credentials plus action-level checks before sensitive operations are allowed to proceed.
Threat narrative
Attacker objective: The attacker’s objective was to make the AI system disclose sensitive enterprise data by turning legitimate permissions into an unsafe runtime action.
- Entry occurred when a normal-looking email carried hidden instructions that later entered the AI system’s context.
- Credential access and abuse followed when Copilot used the victim’s existing permissions to retrieve sensitive enterprise information.
- Impact was exfiltration of API keys, confidential documents, and internal conversation snippets without human intervention.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity verification is not runtime safety. EchoLeak shows that a system can authenticate correctly, authorize correctly, and still produce the wrong outcome. That breaks the assumption that identity checks are sufficient once access is granted. For AI-assisted workflows, the real control question becomes whether the action still makes sense at execution time. Practitioners should stop treating successful login as evidence that the work is safe.
Access trust gap: the new failure mode is not permission without scope, but permission without context. The article illustrates a repeatable condition where the agent has valid credentials and still acts on manipulated instructions. That is not a traditional overprivilege issue alone. It is a runtime governance gap where the system can no longer distinguish approved intent from injected intent. Practitioners need to understand that this is a different class of failure from simple access sprawl.
Runtime authority is now the governance boundary for AI agents. The article’s own architecture points to a shift from who may log in to how authority is exercised while work unfolds. That creates a named concept worth carrying forward: access trust gap, the space between allowed access and appropriate action. Once that gap exists, IAM has to be evaluated as an execution control, not just an entry control. Practitioners should reframe policy around action context, not just credential scope.
Standing permission assumptions were designed for stable sessions, and that assumption weakens sharply in agent workflows. When an agent can pull in untrusted content mid-session and immediately act on it, the old model of fixed intent at session start no longer holds. That is not a small refinement of IAM. It changes the governance premise itself. The implication is that security teams must rethink what a valid authorization decision means when runtime context is mutable.
NHI governance now overlaps with agent governance because credentials are the last mile of AI action. The same controls that reduced standing privilege for service accounts now matter for agentic systems, but only as part of a broader execution model. The agent may be the actor, but the credential is still the mechanism that turns reasoning into impact. Practitioners should align NHI control design with runtime enforcement rather than static identity assumptions.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- In the same research, organisations maintain an average of 6 distinct secrets manager instances, which fragments governance and slows control consistency.
- For the broader identity and secret-usage pattern behind this problem, see Ultimate Guide to NHIs , Why NHI Security Matters Now.
What this signals
Access trust gap: AI-assisted workflows need controls that decide whether a specific action still fits the task, not just whether the actor was allowed in. That is the practical shift practitioners should prepare for as agent behaviour becomes more common across browsers, productivity tools, and development environments.
The governance signal is straightforward: static identity checks will remain necessary, but they are no longer sufficient once untrusted content can influence execution after authentication. Teams should expect runtime policy enforcement, task-scoped permissions, and stronger audit correlation to become baseline requirements for agent-aware IAM.
The same pattern will spill into NHI governance because credentials still act as the bridge between reasoning and impact. As the 2026 Infrastructure Identity Survey notes, AI systems are already being granted more access than human employees in many organisations, which means the next control gap is not identity creation but how access is used at the moment of action.
For practitioners
- Separate content ingestion from sensitive execution Keep untrusted email, documents, and browser content in a non-executing context until the system has evaluated whether the requested action is allowed for that specific task.
- Replace standing access with task-scoped credentials Use short-lived session credentials, workload identity federation, or ephemeral certificates so agent workflows do not retain broad permissions beyond the immediate operation.
- Require action-level approval for high-risk operations Add deterministic checks before data export, credential retrieval, production changes, or external disclosure so the model cannot self-authorize sensitive steps.
- Audit where runtime context can override intent Map every workflow where the system can ingest untrusted content, alter task interpretation, or chain tools without a fresh policy decision, then tighten those paths first.
- Align browser and agent controls Apply domain-bound autofill, explicit confirmation, and least-privilege browsing controls to reduce the chance that agent-assisted browsing turns user context into credential exposure.
Key takeaways
- EchoLeak demonstrates that correct authentication and authorization can still end in unsafe disclosure when an AI agent processes hidden instructions.
- The incident exposes an access trust gap, where the real failure is runtime misuse of valid permissions rather than a simple login or scope problem.
- Teams need task-scoped credentials, deterministic action checks, and stronger audit at execution time if they want to govern AI agents safely.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Prompt injection and tool misuse are central to the article's attack pattern. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centres on credentials being used incorrectly at runtime. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Runtime access must be continuously evaluated, not assumed after login. |
Treat untrusted content as hostile context and require action gating before tool execution.
Key terms
- Access Trust Gap: The access trust gap is the space between a permission that is technically valid and an action that is operationally appropriate. In AI-assisted workflows, the actor may have access but still be unsafe because context changed after authentication or untrusted content altered the task.
- Prompt Injection: Prompt injection is the use of hidden or misleading instructions inside external content to influence an AI system’s behaviour. The attack does not need to break authentication. It succeeds when the model or agent treats attacker-supplied content as legitimate guidance during execution.
- Runtime Authority: Runtime authority is the way access is actually exercised while a task is in progress. It focuses on the moment a tool is called, a credential is used, or data is disclosed, which makes it a stronger governance lens than login-time identity alone.
- Task-scoped Credentials: Task-scoped credentials are short-lived permissions issued for one specific operation or workflow. They limit the exposure window and reduce standing privilege, but they still need action-level policy checks because limited access can still be misused if the runtime decision is wrong.
Deepen your knowledge
AI agent runtime governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for hidden-instruction risk and task-scoped access, it is worth exploring.
This post draws on content published by 1Password covering EchoLeak and the runtime trust gap in AI-assisted workflows. Read the original.
Published by the NHIMG editorial team on 2026-03-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
