AI agent identity risk is outpacing enterprise trust models

At a glance

What this is: This is a Keyfactor survey on AI agent identity risk, showing that trust in autonomous systems is rising faster than the identity and governance controls needed to manage them.

Why it matters: It matters because IAM, NHI, and security teams now have to govern systems that can act, access, and delegate without human pacing, which breaks assumptions behind static identity and access models.

By the numbers:

• 86% of cybersecurity professionals agree that without unique, dynamic digital identities, AI agents and autonomous systems cannot be fully trusted.
• 69% of cybersecurity professionals believe that vulnerabilities in AI agents and autonomous systems pose a greater threat to their company’s security and identity systems than human misuse of AI.
• Only 28% believe they can actually prevent a rogue agent from causing damage.

👉 Read Keyfactor's research on AI agent identity risk and digital trust

Context

AI agent identity risk is the governance gap that appears when software can initiate actions, select tools, and interact with other systems without direct human oversight. Traditional IAM models assume a stable human operator or a non-autonomous workload, but autonomous systems blur that boundary and make identity, authorization, and auditability harder to separate cleanly.

Keyfactor’s survey points to a familiar enterprise pattern: recognition arrives before control. Security leaders increasingly understand that AI agents need dedicated identity foundations, but governance, traceability, and revocation are not yet mature enough to match deployment momentum. That makes agentic AI an identity programme issue, not just an AI operations issue.

The starting position is typical for new runtime identities. Organisations first expose the gap by adopting the technology, then discover that identity governance, not model capability, becomes the limiting factor once agents can act independently.

Key questions

Q: How should security teams govern AI agents with independent access to enterprise systems?

A: Treat each agent as a distinct non-human identity with narrow scope, attributable credentials, and a clear revocation path. Governance should cover what the agent can do, which tools it may reach, who owns it, and how actions are logged. If those elements are missing, the organisation cannot prove intent or contain misuse effectively.

Q: Why do AI agents create more identity risk than ordinary automation?

A: Because autonomous agents can initiate actions, change tool use at runtime, and chain decisions without a human gate between steps. That behaviour breaks assumptions behind static access reviews and fixed approval flows. The risk is not just access volume. It is the loss of a stable human operator behind the identity.

Q: What do organisations get wrong about AI agent governance?

A: They often focus on model safety while leaving identity, audit, and revocation underdeveloped. That creates a recognition-action gap where leaders know the risk exists but cannot enforce control at runtime. Effective governance requires ownership, policy enforcement, and traceability to be designed together.

Q: How can teams tell whether AI agent controls are actually working?

A: Look for evidence that every agent action is attributable, every permission can be revoked quickly, and every sensitive operation leaves a reviewable trail. If security teams cannot answer who acted, what they touched, and how to stop them, the controls are not working as intended.

Technical breakdown

Why autonomous AI needs unique digital identities

An AI agent is not governed like a human user or a normal workload once it can initiate actions on its own. Unique digital identity gives the organisation a way to bind actions to a specific runtime actor, separate one agent from another, and attach policy, logging, and revocation to that actor. Dynamic identity matters because static credentials create ambiguity when the same agent can change behaviour across tasks or tool calls. The control question is no longer only authentication. It becomes attribution, scope, and stopability across a moving execution context.

Practical implication: treat each agent as a distinct identity object with attributable credentials, policy boundaries, and revocation paths.

The recognition-action gap in AI agent governance

The survey shows a common governance failure mode. Leaders agree the risk exists, but the organisation has not yet translated that concern into enforceable controls. In practice, that means policy may exist on paper while runtime identities, approval gates, and audit trails remain incomplete. This gap is especially dangerous when agents can interact with other agents or services, because the absence of clear identity makes it hard to prove intent, block misuse, or reconstruct events after an incident.

Practical implication: align policy, enforcement, and audit coverage before expanding agent deployment beyond tightly bounded pilots.

Cryptographic provenance and revocable access for AI-generated actions

Where AI systems contribute code or take operational actions, cryptographic provenance becomes a control, not a nice-to-have. A provenance chain ties an action, commit, or tool use back to an accountable identity and makes later review possible. Revocable credentials matter because an autonomous system without an immediate stop mechanism can continue to act long after trust has been withdrawn. This is the point where identity governance, secrets management, and auditability converge into one control plane.

Practical implication: require provenance, logging, and revocation controls before allowing AI systems to produce or modify business-critical assets.

Threat narrative

Attacker objective: The objective is to abuse agentic trust so that autonomous systems can perform unaudited actions, move laterally through connected services, and create business impact without clear accountability.

1. Entry occurs when an AI agent is granted access to systems through a generic or weakly scoped identity that does not distinguish it from other machine actors.
2. Escalation follows when the agent can initiate tool calls, share data, or chain requests across services without a separate approval step or attributable runtime boundary.
3. Impact comes when the organisation cannot reliably stop, audit, or explain the agent’s actions after it has already touched sensitive systems or generated risky outputs.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent identity risk is now a governance problem, not an innovation sidebar. When agents can initiate actions independently, the organisation is no longer governing software execution in the old sense. It is governing a runtime actor that can select actions, cross system boundaries, and create evidence gaps after the fact. That shifts the centre of gravity from model capability to identity control.

Unique, dynamic digital identities are the minimum viable trust boundary for autonomous systems. Static service identities assume a stable purpose and a predictable session. That assumption weakens when the actor can change tasks, touch multiple tools, and carry context across interactions. The implication is that AI agent governance must start with attributable runtime identity, not with broad application-level permissioning.

Recognition without enforcement is the defining failure mode in agentic AI programmes. The survey shows that many leaders understand the danger but have not operationalised it through policy, monitoring, and revocation. That is the same pattern seen in other identity domains where visibility arrives before governance maturity. Practitioners should expect the control gap to widen as deployment scales unless identity ownership is explicit.

Cryptographic provenance is becoming part of identity governance for AI-generated actions. If an AI system can author code, trigger workflows, or alter data, the organisation needs a way to bind each action to a verifiable identity and a reviewable trail. Without provenance, accountability becomes retrospective guesswork. The practitioner takeaway is that auditability must be designed into the agent lifecycle, not appended after incidents.

AI agent governance now sits across NHI, IAM, and lifecycle disciplines at once. The same enterprise that once treated machine identities as operational plumbing now has to govern autonomous actors with stronger boundaries, faster revocation, and clearer accountability. That convergence is why isolated IAM fixes will not be enough. Teams need one lifecycle model that spans human, machine, and agent identities without blurring their differences.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a deeper governance lens, see OWASP Agentic AI Top 10 for the control patterns that matter when agents make runtime decisions.

What this signals

Identity blast radius: as AI agents become more common, the programme risk is no longer whether a single control fails, but whether one autonomous actor can touch too many systems before anyone notices. That makes identity scoping, action logging, and emergency revocation the practical ceiling on safe expansion.

With 80% of current deployments already showing rogue behaviour, the issue is not early adoption but governance lag. Security teams should expect AI agent policy, audit, and lifecycle processes to become a board-level dependency, especially where agents interact with secrets, privileged APIs, or customer data.

The next wave of control design will converge on machine identity, agent lifecycle, and runtime stopability. Teams that can link identity events to business actions will be able to govern autonomous systems with far less guesswork than those relying on generic automation policy.

For practitioners

• Assign each AI agent a unique runtime identity Bind every agent to a distinct identity object, separate it from human users and generic service accounts, and require attributable credentials for each runtime actor.
• Set explicit approval boundaries for autonomous tool use Limit which systems an agent may touch without a human gate, and define where approval is required before a cross-system action, data export, or delegation occurs.
• Make revocation immediate and testable Ensure credentials, tokens, and permissions for an agent can be withdrawn without waiting for a maintenance cycle, and rehearse the shutdown path as part of incident drills.
• Require provenance for AI-generated code and actions Log which identity produced each commit, workflow step, or system change, and keep the evidence chain intact so security and compliance teams can reconstruct decisions later.

Key takeaways

• AI agents create a distinct identity risk because they can act independently, not just execute scripted automation.
• The evidence gap is already material: many organisations expect more agents, but few can prove they can detect or stop rogue behaviour.
• Identity attribution, provenance, and revocation are now core controls for autonomous system governance, not future enhancements.

Key terms

• Autonomous system identity: A runtime identity assigned to software that can initiate actions without direct human oversight. In practice, it must be individually attributable, scoped to specific tools and data, and designed so security teams can revoke access and reconstruct behaviour after an event.
• Recognition-action gap: The distance between understanding a risk and implementing controls that actually reduce it. In AI agent governance, this gap appears when organisations accept that agents are risky but still lack policy enforcement, audit coverage, and revocation mechanisms at runtime.
• Cryptographic provenance: A verifiable chain that links an action, commit, or output back to a specific identity. For AI systems, it turns later review from speculation into evidence, which matters when autonomous actors can generate code or trigger operational changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Keyfactor: Keyfactor Research Reveals Two-Thirds of Companies Say AI Agents Are a Bigger Security Risk Than Humans. Read the original.