AI agent identity risk is exposing the limits of workload IAM

At a glance

What this is: This analysis argues that AI agent identity is not just workload IAM with a new label, but a different control problem because agents choose actions dynamically at runtime.

Why it matters: It matters because IAM, IGA, and PAM teams need governance models that cover delegated, tool-using actors without assuming static scope, predictable session boundaries, or human-paced review cycles.

By the numbers:

• 80% of organizations using AI agents have observed them acting unexpectedly or performing unauthorized actions.
• 69% of organizations now have more machine identities than human ones.
• Only 38% have automated certificate lifecycle management in place.

👉 Read Aembit's analysis of AI agent identity risk and workload IAM limits

Context

AI agent identity risk starts with a basic governance mismatch. Human IAM assumes interactive sessions and workload IAM assumes deterministic behaviour, but autonomous agents decide at runtime which files, APIs, tools, and services to invoke. That means the access pattern is not fully knowable at provisioning time, which breaks the premise behind static scoping and periodic audit.

For IAM and identity governance teams, the issue is not simply that agents are more active than traditional workloads. It is that the actor can combine delegation, tool use, and runtime judgment inside one session. That creates a control gap across NHI governance, PAM, and access review processes, especially where organisations still treat non-human access as if it were predictable workload execution.

Key questions

Q: How should security teams govern AI agents that can choose tools at runtime?

A: Treat the agent as a delegated identity whose access must be evaluated when each request occurs. Static roles are too blunt when the actor can change its path mid-session. Teams should scope privilege to the smallest viable operation, require strong binding between user intent and agent action, and preserve decision context for later review.

Q: Why do AI agents complicate least-privilege design?

A: Least privilege becomes harder because the actor’s exact behaviour is not fully known before execution begins. An agent may need different resources at different points in the same task, so a static policy either blocks the work or grants too much. The control problem is runtime uncertainty, not just excessive entitlement.

Q: What breaks when delegation chains are not explicitly tracked?

A: Accountability breaks first, then auditability. If the system cannot tie the user, the agent, and the invoked tools together, it cannot explain who authorised the action or which entity actually performed it. That makes incident review, access certification, and policy enforcement far less reliable.

Q: Who is accountable when an AI agent exceeds its intended scope?

A: The organisation remains accountable, but operational accountability depends on whether the system preserved delegation evidence. Without a chain that binds the user, the agent, and the scope, investigators cannot reconstruct responsibility cleanly. Governance teams should treat that missing evidence as a control failure, not a logging inconvenience.

Technical breakdown

Why static scoping fails for autonomous agents

Traditional workload identity works because a microservice or CI/CD job usually follows a stable execution path. Access can be predeclared, bounded, and revoked after the task ends. AI agents are different because they choose actions based on context and goal interpretation, which means the path is not fixed ahead of time. A policy that looks precise at provisioning time can still be too broad at runtime if the agent decides to chain additional tools or data sources to complete its objective. This is not a secrets problem alone. It is a runtime authorisation problem caused by non-deterministic behaviour.

Practical implication: scope access at request time, not just at deployment time.

Delegation chains create accountability gaps

When an agent acts on behalf of a user, the identity system must represent two linked actors at once: the delegating human and the executing agent. That gets harder when the agent can spawn subagents or call multiple tools in sequence. Traditional token models often describe a single subject, which leaves audit records unable to answer who made the decision, who authorised it, and which downstream actor actually performed the action. The technical weakness is not logging volume. It is the loss of verifiable identity context across the chain.

Practical implication: bind user, agent, and scope into the credential or delegation artifact.

Audit trails break when the session is goal-driven

Workload IAM assumes a session is a bounded execution window. Agent sessions are goal-driven, so they may last across many tool calls, posture changes, and scope decisions. Short-lived credentials help reduce exposure, but they do not solve the deeper issue: the system must preserve enough context to explain why a request was made and whether it still fits the original authorisation. Without that context, logs record events but not accountable intent. For identity teams, the problem is not just tracing access. It is preserving the meaning of access across a changing execution path.

Practical implication: pair short-lived credentials with agent-aware telemetry and decision context.

Threat narrative

Attacker objective: The objective is to make legitimate delegated access drift into broader, harder-to-audit execution that exceeds the original authorisation intent.

1. Entry occurs when a user delegates authority to an AI agent and the agent receives legitimate access to tools, data, or APIs for a defined objective.
2. Escalation happens when the agent broadens its own access path mid-session by selecting additional resources or tool calls that were not explicitly anticipated at provisioning time.
3. Impact follows when chained actions, delegated subagents, or incoherent audit trails make the resulting access harder to contain, explain, or attribute.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static scoping is a workload assumption, not an agent control. Static access policies were designed for deterministic systems whose behaviour can be predicted before execution begins. That assumption fails when the actor is autonomous because the access path is decided at runtime, not by a predeclared script. The implication is that identity programmes must stop treating agent behaviour as bounded workload execution and start treating it as runtime authorisation risk.

Delegation without chain-of-custody creates a governance blind spot. Traditional OAuth-style thinking struggles when one credential represents both a user and an agent that can invoke tools or subagents. The governance assumption that a single subject can carry the full meaning of an action breaks under autonomous delegation. The implication is that accountability models must be rethought around actor chains, not single-token audit entries.

Agent autonomy collapses the review window that IAM process design depends on. Access review processes were designed for access that persists long enough to be observed, recertified, and removed. That assumption fails when the actor can acquire, use, and abandon privilege within one goal-driven session. The implication is not just more review effort, but a different governance model for time-bounded, decision-making identities.

Identity blast radius is now a runtime property, not a provisioning property. The risk surface is no longer defined only by what access an agent receives at onboarding. It is also defined by what that agent can decide to do after it starts operating. That shifts the centre of gravity from setup controls to continuous identity governance across the full delegated task path.

AI agent governance sits at the intersection of NHI, PAM, and human accountability. The strongest control model will not come from treating agents as merely another workload or as a human proxy. It has to connect least privilege, delegation traceability, and identity lifecycle governance across all three actor types. Practitioners should use this topic to reassess where their current programme still assumes stable, human-paced identity behaviour.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, which is one reason non-human identity governance still breaks under operational pressure.
• That lifecycle gap is why practitioners should pair delegation controls with the Ultimate Guide to NHIs and align runtime access with offboarding discipline.

What this signals

Runtime authorisation is becoming the decisive control plane for autonomous actors. As agents move from experiments into production workflows, identity teams will have to shift attention from provisioning state to request-time decisioning. A static entitlement model cannot explain or constrain a system that changes its own path while the task is still in flight.

Delegation traceability will become a board-level audit issue, not just an IAM design detail. If a programme cannot reconstruct the user, the agent, and the action chain, it will struggle to defend access decisions after an incident. That pushes agent telemetry, certification evidence, and actor binding into the same governance conversation as PAM and NHI lifecycle.

Agent identity should be measured against a new concept: identity blast radius. This is the practical boundary created by what an agent can decide to do once access begins, not merely what it is provisioned to reach. Teams that already struggle with machine identity sprawl should expect the same pressure to extend into agent governance, especially where the Ultimate Guide to NHIs shows how fast non-human estate growth outpaces manual control.

For practitioners

• Map which controls assume stable behaviour Identify where access reviews, approval workflows, and entitlement models still assume the actor will behave predictably long enough to be certified. Replace those assumptions with runtime evaluation for agent sessions that can change scope mid-task.
• Bind delegation into the credential model Require cryptographic linkage between the delegating user, the agent identity, and the permitted scope so audit records can reconstruct who authorised what and which actor executed each step.
• Separate task scope from identity scope Limit the agent’s usable privilege to the smallest operation needed at each request rather than granting broad capability for the full session. This reduces the chance that the agent will chain into resources the authoriser never intended.
• Add agent-aware telemetry to audit trails Capture decision context, tool selection, and downstream invocation paths so logs explain why an action happened, not just which API was called. Pair that with the Ultimate Guide to NHIs for lifecycle and governance baseline.

Key takeaways

• AI agents expose a control gap that workload IAM was never designed to close because they decide access paths at runtime.
• The evidence points to a real operational problem, not a theoretical one, with 80% of organisations reporting unexpected or unauthorized agent behaviour.
• Identity programmes need delegation binding, runtime scoping, and agent-aware audit trails if they want accountable autonomous access.

Key terms

• Autonomous Agent Identity: An autonomous agent identity is a non-human identity that can choose actions, tools, and execution timing at runtime. In practice, it is governed less like a script and more like a delegated actor whose access must be continuously bounded, observed, and attributable.
• Delegation Chain: A delegation chain is the sequence of identities involved when one actor authorises another to act on its behalf. For AI agents, the chain may include the human initiator, the agent, and any subagents or tools, which makes accountability dependent on preserved identity context.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause once access is granted. For autonomous systems, the blast radius is shaped not only by the initial entitlement but by the set of actions the actor can decide to take during the session.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Aembit: AI agents challenge traditional identity models. Read the original.