By NHI Mgmt Group Editorial TeamPublished 2026-08-04Domain: EventsSource: Vorlon

TL;DR: Security teams still cannot see what AI agents are actually doing in many environments, and legacy tools were built for human-speed browser interactions rather than agent-to-SaaS chains, according to Vorlon's 2026 CISO report. The governance gap is architectural: identity programmes now need to track behaviour, data flow, and delegated access together, not separately.


At a glance

What this is: This is a Black Hat event preview focused on agentic ecosystem security, showing how AI agents, SaaS apps, and non-human identities create a visibility and control gap that legacy IAM cannot track well.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern machine-speed delegation, token use, and data access across agentic workflows, not just human logins and static service accounts.

By the numbers:

👉 Read Vorlon's Black Hat briefing on agentic ecosystem security


Context

AI agent identity risk is the problem space here: a modern agent can authenticate, call tools, move data, and trigger downstream actions faster than most human-centric governance models can observe. That creates a gap between assigned permissions and actual runtime behaviour, especially when the agent uses OAuth tokens, SaaS integrations, and MCP-connected tools.

The article frames that gap as architectural rather than procedural. In practice, the issue is not whether teams have an inventory of agents, but whether they can see how those agents behave across data, identity, and integration layers. For Black Hat attendees, this is a typical enterprise problem, not an edge case.


Key questions

Q: How should security teams govern AI agent access across SaaS and MCP-connected tools?

A: Security teams should govern AI agent access as a runtime execution path, not as a static permission set. That means mapping the agent’s authentication method, tool chain, data access, and downstream writes, then applying continuous monitoring to the whole path. The goal is to reduce hidden trust between SaaS apps, tokens, and delegated actions.

Q: Why do legacy IAM controls struggle with AI agent identity risk?

A: Legacy IAM controls were designed for human-paced access requests and review cycles, so they struggle when an AI agent can act, chain tools, and move data within one session. The control boundary shifts from login events to behaviour in motion, which traditional directory and recertification models do not capture well. Context becomes essential.

Q: What breaks when organisations only inventory AI agents without watching their actions?

A: Inventory alone creates a false sense of control because it records existence, not behaviour. A known agent can still abuse authorised access, move sensitive data, or trigger unexpected third-party actions if no one is watching what it does at runtime. Visibility into action is the missing layer.

Q: Who is accountable when an AI agent causes data exposure through a trusted integration?

A: Accountability usually sits with the team that owns the delegated access path, the integration, and the data being exposed, not with the agent itself. Practically, that means IAM, SaaS security, and platform owners must share responsibility for approval, monitoring, and containment. Governance fails when no one owns the full chain.


Background and context

Why agentic SaaS chains break human-speed IAM assumptions

Legacy IAM assumes a person initiates access, an app consumes it, and controls can be reviewed after the fact. AI agents break that model by chaining authentication, data retrieval, MCP calls, and third-party writes inside one runtime sequence. The identity may be legitimate, but the behaviour is no longer human-paced or manually traceable. That makes the true security boundary the delegated workflow, not the login event. In agentic systems, the risk is often not initial compromise but legitimate access used in unexpected combinations across SaaS and AI tools.

Practical implication: map and govern delegated agent workflows as a control surface, not just individual identities.

What context-based behavioural detection adds to NHI monitoring

Behavioural detection for NHIs becomes more useful when it links identity events to data context. A token use event is not enough on its own. Security teams need to know whether the agent touched PII, PCI, PHI, or other sensitive categories, whether the access pattern matches expected use, and whether the action created downstream exposure. That shifts detection from simple abuse flags to risk interpretation. It also helps distinguish ordinary automation from identity misuse, privilege escalation, or mass export behaviour across integrated services.

Practical implication: enrich NHI detections with data-classification and integration context before triage.

How blast radius analysis changes incident containment for AI agents

Blast radius analysis answers a different question from alerting: once an identity or vendor is compromised, what data categories, agents, and integrations are now in play? In agentic ecosystems, one breached integration can expose several downstream services because permissions are often delegated through chained trust relationships. That means containment has to identify the first safe revocation point, not just the first suspicious event. The technical challenge is correlation across identities, tools, and data paths quickly enough to stop propagation.

Practical implication: pre-map revocation dependencies so containment can start at the smallest effective trust boundary.


NHI Mgmt Group analysis

AI agent identity risk is now an architecture problem, not an access-list problem. Security teams can no longer treat inventory as proof of control because the relevant behaviour happens in motion between identities, SaaS apps, and tool calls. That means the real governance unit is the delegated execution path, not the named account. Practitioners should evaluate controls against runtime behaviour, not static registration.

Human-centric IAM assumptions do not survive agentic runtime behaviour. Access review cycles assume a stable subject, stable purpose, and reviewable period of privilege. That assumption fails when an AI agent can authenticate, combine tools, and complete work faster than a review cadence can observe it. The implication is that governance has to shift from post-hoc certification toward continuous runtime oversight of delegated action chains.

Agentic ecosystem security creates an identity blast radius that traditional directory-centric controls do not describe. A single trusted token can now connect multiple systems, move sensitive data, and trigger downstream writes in ways that are invisible if teams only look at account entitlements. This is why the category now sits at the intersection of NHI, SaaS security, and AI governance. Practitioners should treat connected trust relationships as the primary object of analysis.

Shadow AI discovery is a prerequisite for any credible NHI programme. If teams cannot identify unsanctioned agents and tools bypassing the corporate gateway, they cannot assess exposure, set policy, or contain incidents with confidence. That makes discovery a governance foundation rather than a hygiene task. The practical conclusion is simple: unknown agents are unmanaged identities, and unmanaged identities are already part of the attack surface.

Context-based detection is where NHI monitoring becomes decision-grade. Identity alerts without data-layer context cannot tell you whether a suspicious token event is a nuisance or a material incident. By tying action to data sensitivity and downstream movement, practitioners can separate benign automation from exposures that need containment. The field should measure NHI security by decision quality, not alert volume.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • That visibility gap matters because 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, followed by inadequate monitoring and logging at 37%.
  • For a wider breach pattern view, The 52 NHI breaches Report shows how delegated access and poor lifecycle control turn trust relationships into incident pathways.

What this signals

Agentic Ecosystem Security Gap: the next governance gap is not whether an AI agent exists, but whether security teams can prove what it did across identity, data, and integration layers. That is why visibility into third-party OAuth relationships and downstream data paths will become a board-level control question, not a tooling preference.

With 1 in 4 organisations already investing in dedicated NHI security capabilities and another 60% planning to do so within twelve months, the market is moving from discovery to operational control. Teams should expect tighter scrutiny of agent sprawl, token governance, and whether their detection stack can explain suspicious action in business context.

Practitioners who already use identity lifecycle and privileged access processes should extend those controls to machine-speed delegation. The operational test is no longer whether access was approved once, but whether the trust relationship can still be justified while the agent is active.


For practitioners

  • Map delegated agent workflows end to end Inventory how each AI agent authenticates, which SaaS systems it touches, which MCP or API calls it can make, and where output is written downstream. Focus on the full execution path, not just the identity record.
  • Classify sensitive data flow by identity path Tag which agents, integrations, and service accounts touch PII, PCI, PHI, or other regulated data so you can prioritise controls around the highest-risk chains first.
  • Correlate identity alerts with data context Enrich detection logic so token misuse, privilege escalation, and mass export alerts include the data category involved and the downstream service affected.
  • Predefine containment steps for compromised integrations Document which token revocations, integration disables, and identity quarantines should happen first when a trusted SaaS connection is suspected of abuse.

Key takeaways

  • AI agent identity risk is fundamentally a governance problem about runtime behaviour across connected systems, not just a permissions problem.
  • Legacy IAM models break down when delegated access, OAuth trust, and tool chaining happen faster than human review cycles can observe.
  • Practitioners should focus on workflow mapping, data context, and containment planning so they can govern the full identity blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AGENT-05Agentic tool chaining and runtime behaviour are central to this preview.
OWASP Non-Human Identity Top 10NHI-03OAuth tokens, dormant integrations, and over-privileged NHI access drive the risk here.
NIST CSF 2.0PR.AA-01Identity and access control must extend to machine-speed delegated actions.

Review agent tool permissions and runtime guards to stop chained actions from exceeding approved scope.


Key terms

  • Agentic ecosystem: The connected environment in which AI agents, SaaS apps, integrations, and non-human identities interact. Security risk appears in the links between those components, not only in any one identity. For practitioners, the ecosystem is the real control plane because it defines how access, data, and actions flow together.
  • Identity blast radius: The range of systems, data, and downstream actions that become exposed when one identity, token, or integration is misused or compromised. In agentic environments, blast radius expands quickly because one trusted credential can activate multiple services and data paths in sequence.
  • Context-based behavioural detection: Detection that evaluates identity activity together with the data touched, the systems involved, and the expected business use. It is stronger than simple anomaly spotting because it helps determine whether an action is merely unusual or actually material to exposure and containment.
  • Delegated execution path: The full chain of authentication, tool calls, data access, and downstream writes performed by an agent or workload using granted access. This is the unit practitioners should govern when runtime behaviour matters, because risk emerges from the sequence rather than from the identity record alone.

What to expect at the briefing

Vorlon's full event preview covers the operational detail this post intentionally leaves for the source:

  • Shadow AI Discovery demonstrations showing how unsanctioned agents and tools are identified across the environment.
  • Sensitive data flow mapping examples that trace how PII, PCI, and PHI move through agentic supply chains.
  • Context-based behavioural detection workflows for identity abuse, privilege escalation, and mass exports.
  • Two-click remediation paths for revoking tokens, disabling integrations, or quarantining identities.

👉 Vorlon's event preview shows how its platform maps AI agents, SaaS apps, and non-human identities in motion.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing identity security in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-08-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org