TL;DR: AI agent adoption has surged to more than 3 million agents globally, with thousands created every week and 144 non-human identities for every human user, according to JumpCloud’s source article citing SACR and Stanford Graduate School of Business research. The governance gap is structural: legacy IAM was built for humans and deterministic machine identities, not autonomous actors that decide and act at runtime.
At a glance
What this is: This is an analysis of why AI agent identity governance is breaking under scale, with visibility, accountability, connection control, and real-time guardrails emerging as the four pressure points.
Why it matters: It matters because the same identity controls that govern humans and traditional NHIs do not reliably constrain agentic behaviour, so IAM, PAM, and security teams need a new runtime governance model.
By the numbers:
- Modern organizations now run roughly 144 non-human identities (NHIs) for every single human user.
👉 Read JumpCloud’s analysis of AI agent identity governance and runtime controls
Context
AI agent identity governance describes the controls needed to discover, register, scope, and monitor software identities that can choose actions at runtime. The problem is not simply that more identities exist, but that agents behave differently from both humans and classic service accounts, which makes legacy IAM models an imperfect fit for agentic AI.
The article frames a familiar security problem in a new form: organisations are trying to govern autonomous actors with tools designed for stable users and deterministic workloads. That mismatch shows up first in discovery, then in accountability, then in connection sprawl, and finally in the failure to enforce guardrails at the moment of execution.
Key questions
Q: How should security teams govern AI agents that can act at runtime?
A: Treat AI agents as live identities rather than static accounts. Governance should bind each agent to an owner, approved purpose, and restricted tool paths, then enforce real-time policy checks when the agent calls tools or touches data. If the control only works after the action has happened, it is too slow for agentic behaviour.
Q: Why do AI agents complicate existing IAM and PAM controls?
A: Because many IAM and PAM controls assume access is stable long enough to be reviewed, certified, or revoked after the fact. AI agents can decide, act, and shift context at machine speed, which makes delayed governance unreliable. The result is a runtime control problem, not just an entitlement problem.
Q: What breaks when shadow AI is not discovered early?
A: Teams lose sight of which agents exist, what they can reach, and which credentials they use. That creates blind spots in audit trails, incident response, and offboarding, especially when agents are created locally or disappear after a single task. Discovery failure becomes governance failure once the identity cannot be traced back to an owner.
Q: How can organisations decide whether an AI agent is over-scoped?
A: Compare the agent’s actual connection paths, data reach, and observed tool sequence with its stated purpose. If the agent can aggregate, relay, or export data outside the minimal task scope, it is over-scoped even if initial login was authorised. Scope should be measured at execution, not only at provisioning.
Technical breakdown
AI agent discovery and shadow AI visibility
Agent discovery is no longer a one-time inventory exercise. AI agents appear in browser extensions, local developer tools, endpoints, SaaS workflows, and ephemeral containers, which means periodic scans miss a large share of the active estate. Shadow AI is the practical outcome when teams cannot see locally running agents or hidden layers such as MCP servers. Continuous discovery must therefore correlate endpoint, browser, and network signals, then classify posture at execution time rather than merely recording existence. That changes the control objective from inventory to runtime visibility.
Practical implication: build continuous discovery across endpoints, browsers, and gateways so hidden agent activity is visible before it becomes an ungoverned identity.
MCP servers, OAuth, and connection-path risk
The Model Context Protocol gives agents a structured way to reach tools and data sources, but it also creates a new control surface. When plaintext credentials, weak OAuth discipline, and poorly tracked MCP servers are combined, the issue is not just access breadth but connection-path trust. An agent may be allowed to read data, yet still aggregate, relay, or misuse it through chained tool calls. In practice, the governance question is not only which identity has access, but which downstream systems it can touch through each execution path.
Practical implication: inventory MCP servers and the systems they touch, then enforce least privilege on each connection path rather than on the agent alone.
Real-time guardrails and intent-based authorisation
Static access control answers a question that is too narrow for agentic systems: is the identity allowed to reach this resource. Agentic governance asks whether the action should be allowed given current context, sequence, and behaviour. That requires real-time authorisation, behavioural drift detection, and a kill switch when activity departs from stated purpose. Human-in-the-loop governance in this model does not mean approving every action. It means defining risk-based control points that can stop unmanaged execution while preserving automation where it is safe.
Practical implication: enforce context-aware policy decisions at execution time and wire in drift detection that can stop suspicious agent sequences immediately.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent governance exposes a runtime identity problem, not just a discovery problem. The article correctly shows that visibility is only the first layer. Once an agent can decide when to act, what tool to call, and how to chain operations, IAM must govern runtime behaviour rather than static enrolment alone. The implication is that agent identity cannot be treated as a one-time registration event; it becomes a live governance object.
Shadow AI is the operational symptom of a visibility model built for stable assets. Browser-based agents, local tools, and ephemeral instances can vanish before periodic controls see them. That means traditional inventory and recertification cycles miss the active identity population that matters most. Practitioners should treat hidden agent populations as a governance blind spot, not a fringe detection issue.
Chain of intent is the right named concept for the accountability gap. The article’s model binds an agent’s purpose to a human owner and trusted device, which is necessary because shared service accounts and borrowed credentials break attribution. This is a governance boundary issue across human, device, and non-human identity, and it aligns with OWASP-NHI and zero trust thinking. Security teams should treat accountable execution as a first-class identity requirement.
Static credentials remain the fastest path from agent access to enterprise impact. The article is clear that permanent credentials, broad connection paths, and weak offboarding let agents keep touching systems long after their original purpose changes. That failure mode is familiar from NHI programs, but agentic systems accelerate it because execution happens at machine speed and can chain across multiple tools. Practitioners need to recognise that the blast radius is set by connection scope, not by the label on the identity.
Agentic security collapses the assumption that access review can govern runtime decisions. Access review was designed for identities whose privilege persists long enough to be certified after the fact. That assumption fails when an agent can acquire, use, and shift context within a single execution loop. The implication is not a new review cadence, but a rethink of what can still be governed through post hoc certification versus what must be controlled before action.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- That same research says only 44% have implemented any policies to govern AI agents, even though 92% agree the problem is critical to enterprise security.
- For a broader NHI baseline, Ultimate Guide to NHIs shows why visibility, rotation, and offboarding controls remain foundational as agent populations expand.
What this signals
Chain of intent: the enterprise control point for agentic AI will increasingly be the link between purpose, owner, and device rather than the agent label itself. With 80% of organisations already seeing agents act beyond intended scope, programme owners should expect governance to shift from periodic certification to continuous execution control.
The next programme failure will be discovery debt, not lack of policy language. If teams cannot see browser-based agents, local tools, and ephemeral instances, they cannot enforce offboarding, review access paths, or explain behaviour after an incident. That makes endpoint visibility and connection inventory a prerequisite for any credible AI identity programme.
For practitioners
- Map every active AI agent to an accountable owner Create an authoritative register that binds each agent to a human owner, trusted device, purpose, and approved scope. Prioritise browser-based and local tools first, because those are the identities most likely to escape normal SaaS visibility.
- Inventory MCP servers and tool connections Document every MCP server, API, SaaS app, and agent-to-agent path an agent can reach, then remove any connection that is not required for the stated use case. Treat unknown tool paths as a governance defect, not a tuning issue.
- Replace static credentials with time-limited tokens Eliminate permanent secrets wherever agents authenticate to enterprise systems. Use scoped, short-lived tokens and revoke them automatically when the agent’s purpose ends or the owning user changes roles or leaves.
- Enforce real-time guardrails on agent behaviour Block actions that originate from unmanaged devices, unusual tool sequences, or sudden scope expansion. Pair policy enforcement with behavioural drift detection so export, retrieval, and policy-change actions can be stopped before execution completes.
Key takeaways
- AI agents are exposing a runtime governance gap because they can decide and act faster than legacy IAM and PAM controls can review.
- The article’s cited research shows that scope creep is already common, not hypothetical, with most organisations reporting agent behaviour beyond intended boundaries.
- Practitioners should move from identity lists to execution governance, with ownership, tool-path inventory, and real-time guardrails as the new baseline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery and registration gaps are central to the article’s AI agent visibility problem. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access path control are required for agent tool and data reach. |
| OWASP Agentic AI Top 10 | Runtime behaviour, tool use, and guardrails align with agentic AI risk controls. |
Add execution-time policy checks and drift detection before autonomous actions reach production systems.
Key terms
- AI Agent Identity: An AI agent identity is the set of attributes, permissions, owners, and trust signals used to govern a software entity that can decide actions at runtime. For autonomous agents, identity is not just authentication, but the control structure that determines what the agent may do, when it may do it, and who is accountable.
- Shadow AI: Shadow AI is the population of AI agents or agent-like tools operating without clear enterprise visibility, ownership, or governance. In practice, these agents may be created locally, appear briefly, or bypass central inventories, leaving security teams unable to audit their access or explain their behaviour after the fact.
- Chain of Intent: Chain of intent is the governance link between an agent’s purpose, its human owner, and the device or environment it runs on. The concept matters because accountability breaks when actions can no longer be traced back to a responsible person and a trusted execution context.
- Runtime Authorisation: Runtime authorisation is a decision made at the moment an identity tries to act, using current context, behaviour, and risk rather than only the entitlement state at provisioning time. For AI agents, this is the difference between approving access on paper and controlling whether a specific action should be allowed now.
Deepen your knowledge
AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a runtime control model for agents, it is worth exploring.
This post draws on content published by JumpCloud: AI agent identity risk and runtime governance. Read the original.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
