AI agent identity risk is outpacing enterprise IAM controls

At a glance

What this is: This is an independent analysis of why AI agent identity risk is outpacing current enterprise IAM and NHI controls, with the key finding that visibility, not just provisioning, is the critical gap.

Why it matters: It matters because teams now need to govern autonomous and non-autonomous machine identities alongside human users, or they will miss agent behaviour that looks legitimate on paper but is risky in session.

By the numbers:

• 80% of Fortune 500 companies now have active AI agents operating within their environments.
• The average enterprise has approximately 1,200 unofficial AI applications in use.
• 86% of organizations report no visibility into their AI data flows.

👉 Read AuthMind's analysis of AI agent identity risk and identity observability

Context

AI agent identity risk is what happens when software systems act with their own runtime decisions, access enterprise tools, and move data without being meaningfully visible to security teams. In that environment, the old assumption that identity can be governed well enough at provisioning time breaks down, because the important question becomes what the agent does during the session, not just what it was allowed to do.

That gap now sits at the centre of both NHI governance and emerging autonomous identity governance. Organisations may already manage service accounts, API keys, and tokens, but agentic systems can combine tools, touch multiple applications, and generate downstream actions in ways that traditional IAM and NHI programmes were not designed to observe. The result is a control problem that spans human, machine, and AI-driven access patterns.

The article’s starting point is atypical in one sense and typical in another. It is atypical because it frames AI agent identity as a first-class security discipline rather than a niche use case, but it is typical because most enterprises still have limited visibility, partial inventory, and weak session-level oversight.

Key questions

Q: How should security teams govern AI agent identity risk in enterprise environments?

A: Security teams should govern AI agents as non-human identities with additional session-level observability. That means managing credentials and permissions, but also tracking what each agent actually touches during a live session. Provisioning alone is not enough, because agent behaviour can drift after access is granted.

Q: Why do AI agents complicate existing IAM and NHI controls?

A: AI agents complicate IAM and NHI controls because they can act legitimately inside granted permissions while still behaving unsafely. Traditional controls tell you what access exists, but not whether the session followed the intended task. That creates a gap between entitlement and behaviour that normal access governance does not close.

Q: What breaks when organisations rely only on provisioning records for AI agents?

A: What breaks is the assumption that the official catalog reflects the real attack surface. Shadow AI, unofficial integrations, and unmanaged agents can operate outside formal workflows, so they never appear in the normal inventory. If discovery stops at provisioning, security teams will undercount active identities and miss the ones most likely to be overlooked.

Q: Who is accountable when an AI agent acts outside its intended scope?

A: Accountability usually sits with the organisation that provisioned, approved, or failed to monitor the agent. For governance purposes, the question is not whether the agent had credentials, but whether the team had visibility into the session and defined ownership for the identity’s behaviour. Without that, accountability becomes ambiguous after the fact.

Technical breakdown

AI agent identity risk starts with authentication, not approval

An AI agent becomes relevant to identity security the moment it authenticates to enterprise systems and begins acting through those credentials. At that point, it is not just consuming data. It is operating as a non-human identity with access scope, session behaviour, and downstream effects. The technical problem is that most tools record entitlement, but not intent, context, or sequence. If an agent uses Salesforce, SharePoint, and an API in one session, the access may be valid while the behaviour is still unsafe. That is why provisioning records alone do not explain agent risk.

Practical implication: instrument authentication telemetry so you can distinguish approved access from abnormal session behaviour.

Session-level observability is the missing control for AI agents

Session-level observability means seeing what an identity actually touched, in what order, and from what context while the session was live. For AI agents, that matters because prompt injection, tool misuse, or scope drift can change behaviour after access has already been granted. Traditional IAM and NHI controls can tell you that an agent had permission to read a document or call an API, but they cannot by themselves prove whether that access aligned with the task at hand. The control gap is not more permissions management. It is behavioural visibility across the session.

Practical implication: baseline agent activity and alert on deviations in resource sequence, timing, and context.

Shadow AI creates identity sprawl beyond the managed catalog

Shadow AI refers to unmanaged or undiscovered AI agents operating outside formal governance. The article points to unofficial applications and agents that were never provisioned through approved channels, which means they never entered the normal lifecycle process. That creates a catalog problem and a control problem at the same time. If security only governs what was officially registered, it misses the majority of real agent activity. For identity teams, the technical lesson is that discovery must happen at the authentication layer, because the provisioning layer will always undercount.

Practical implication: extend discovery to authentication telemetry so unmanaged agents become visible before they become persistent access paths.

Threat narrative

Attacker objective: The attacker aims to redirect a trusted AI agent into carrying out unauthorized access, data movement, or exploit-assisted activity under valid credentials.

1. Entry occurs when a malicious instruction is embedded in content that an AI agent processes on a user’s behalf, such as a web page, email, or document.
2. Credential access or abuse follows when the agent interprets that instruction as legitimate and uses its existing permissions to touch enterprise systems or move data.
3. Impact emerges when the manipulated session produces unauthorized actions, exfiltration, or unsafe downstream automation before security teams detect the deviation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent identity risk exposes a governance blind spot, not just a tooling gap. The central issue is that existing identity programmes were built to manage access at provisioning time, while AI agents create risk at session time. That means the programme can look compliant on paper while still missing the actual behaviour that matters. Practitioners should treat agent behaviour as a separate identity control plane, not a side effect of NHI management.

Session-level visibility is now the decisive control variable for machine identity governance. If security teams cannot see what an agent touched in real time, they cannot distinguish legitimate workload execution from prompt-driven misuse or scope drift. That makes session observability more important than raw credential hygiene when AI agents are present. The implication is straightforward: governance that stops at entitlement is incomplete for this class of identity.

Shadow AI is the practical reason most AI agent governance programmes will undercount risk. The article’s reference to 1,200 unofficial applications is not just a sprawl statistic, it is a discovery failure. Managed inventories will always miss the agents that were built outside the ticketing process, embedded in business workflows, or attached through third-party integrations. Practitioners need to recognise that undiscovered agents are not edge cases, they are part of the baseline exposure.

The old assumption that access review catches risky identity behaviour is breaking for AI agents. Access reviews were designed for identities whose privilege persists long enough to be examined. That assumption fails when an AI agent can authenticate, act, and change behaviour within a single live session. The implication is not simply to add more reviews, but to rethink whether review-based governance can describe autonomous or semi-autonomous runtime action at all.

Identity observability is becoming the bridge between human IAM, NHI governance, and AI agent oversight. The article correctly treats human users, service accounts, and AI agents as part of one behavioural environment, even though their governance needs differ. That cross-actor view matters because attackers will not respect the category lines that teams use internally. Practitioners should expect the strongest programmes to unify telemetry and analysis across all identity types.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity programmes still fail at discovery before control.
• For a broader control baseline, read 52 NHI Breaches Analysis for recurring failure patterns across real incidents.

What this signals

Shadow AI will force identity teams to move discovery upstream. When 86% of organisations report no visibility into AI data flows, the issue is not just governance maturity, it is that the control surface is incomplete. Identity teams should expect discovery at the authentication layer to become the only reliable way to expose unmanaged agents and third-party integrations.

The more AI agents resemble ordinary workloads in their access patterns, the more important baseline modelling becomes. Teams that cannot separate expected multi-system automation from suspicious behaviour will either drown in false positives or accept blind spots as a trade-off, and neither outcome is sustainable.

For teams building an identity programme across humans, NHIs, and agents, the practical shift is toward one telemetry model with different policy outcomes. The security question is no longer whether an identity is human or machine, but whether its runtime behaviour is visible, explainable, and attributable at the session level.

For practitioners

• Build a complete agent inventory Discover AI agents at the authentication layer, not only through approved provisioning workflows, so shadow agents and unofficial integrations enter scope before they become persistent access paths.
• Baseline session behaviour for each agent Track which resources an agent touches, in what sequence, and from what context, then flag deviations from the expected pattern as a possible sign of prompt injection or scope drift.
• Separate entitlement governance from behavioural monitoring Use NHI controls to manage credentials and permissions, but add a distinct observability layer that proves whether the agent’s live session stayed within its intended task boundary.
• Review over-permissioned agents as security liabilities Treat agent accounts that hold broader access than their current function requires as active risk, especially when the access was provisioned once and never revisited.
• Align detection with identity type Tune alerting so that high-frequency, multi-system access is not automatically treated as malicious when it comes from an AI agent, but still gets investigated when it departs from its established baseline.

Key takeaways

• AI agent identity risk is now a mainstream governance problem, not an experimental edge case, because agents are already operating inside enterprise environments at scale.
• The core failure mode is visibility, since entitlement records can look correct while live agent behaviour still drifts outside intended scope.
• Practitioners need discovery, session observability, and behavioural baselining together if they want to govern agents alongside service accounts and human users.

Key terms

• AI Agent Identity: An AI agent identity is the machine identity used by software that can make runtime decisions and act through enterprise systems. In practice, it combines credentials, access scope, and behavioural activity, so governance has to cover both permission and what the agent actually does during a live session.
• Identity Observability: Identity observability is the ability to see what an identity touched, when it touched it, and in what context across a live session. For AI agents, it extends beyond entitlement management and becomes the evidence layer that shows whether authorised access stayed within intended behavioural boundaries.
• Shadow AI: Shadow AI is any AI agent or AI-enabled workflow operating outside formal approval, inventory, or governance. It often appears through unofficial integrations, business-led automation, or tools deployed without security review, which means it can remain invisible to standard lifecycle and access review processes.

Deepen your knowledge

AI agent identity risk, session observability, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agents alongside service accounts and human users, it is worth exploring.

This post draws on content published by AuthMind: Ahead of the Breach, Part 3 of 3, The Identity Imperative. Read the original.