TL;DR: 2025 brought $20 million in Series A funding, rapid enterprise adoption, and new capabilities for discovering, governing, and retiring AI agent identities across enterprise environments, according to Token Security. The real shift is that AI agents are being treated as identities with lifecycle, ownership, and privilege boundaries, not just as tools with access.
At a glance
What this is: A Token Security year-end review argues that AI agent security is moving from discovery and visibility toward full identity lifecycle governance.
Why it matters: It matters because IAM, IGA, and PAM teams now have to govern AI agents, machine identities, and human-owned access paths with the same discipline they apply to other privileged identities.
By the numbers:
- Token Security raised $20 million in Series A financing in January 2025, bringing total funding to $28 million.
- Internal repositories are 6x more likely to contain secrets than public ones, with 32.2% versus 5.6%.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase.
- AI-related credential leaks surged 81.5% year-over-year in 2025.
👉 Read Token Security's year-end review of AI agent identity security in 2025
Context
AI agent security is becoming an identity governance problem, not just an application security problem. When an agent can be created, assigned access, queried, retired, or left orphaned, it behaves like a governed identity surface that needs ownership, lifecycle controls, and privilege boundaries.
This article is Token Security’s year-end view of 2025, but the underlying issue is broader than one vendor’s roadmap. IAM and PAM teams are being pushed to manage machine identities, AI agents, and hidden execution paths with the same discipline they already apply to service accounts and human access reviews.
Key questions
Q: How should security teams govern AI agents that can access enterprise tools?
A: Treat each agent as a governed identity with a named owner, a defined purpose, and a reviewable access scope. The key control is not just authentication, but lifecycle management, because unmanaged agents can keep access after the business need has ended. Discovery, ownership, and retirement must all be part of the same operating model.
Q: Why do AI agents complicate traditional IAM and PAM controls?
A: AI agents complicate IAM and PAM because they can be created quickly, connect to tools dynamically, and outlive the review cycle that normally catches privilege creep. Traditional controls assume access changes slowly enough to inspect. Agentic access can shift faster than that, so governance must become continuous rather than periodic.
Q: What breaks when AI agents are not tracked as identities?
A: When AI agents are not tracked as identities, ownership disappears, access persists, and retirement never happens on schedule. That creates orphaned execution paths that can still reach data and tools long after the original use case is forgotten. The failure is not visibility alone, but the inability to govern access across the full lifecycle.
Q: Who should own AI agent access reviews and deprovisioning?
A: Ownership should sit with the business or application owner, with IAM or security enforcing the control model. If no accountable owner exists, the agent should not retain access. Deprovisioning must be a required lifecycle step, not an afterthought, because abandoned agents become standing risk.
Technical breakdown
AI agent identity discovery and inventory
AI agent discovery is the control point that turns an unknown agent population into a governable inventory. In practice, that means identifying custom GPTs, MCP servers, autonomous agents, and related machine identities, then tying each one to an owner, purpose, and access scope. Discovery matters because invisible identities cannot be reviewed, recertified, or retired. In AI-heavy environments, the inventory problem is the governance problem. Without a reliable map of what exists, every downstream control becomes partial and reactive.
Practical implication: build continuous discovery for AI agents and related machine identities before trying to certify their access.
MCP servers, tool access, and privilege boundaries
Model Context Protocol servers create a new access layer between AI agents and enterprise tools. The security issue is not the protocol itself, but the fact that a connected agent may gain broad tool reach if the server exposes data, actions, or workflows without strict policy enforcement. Once an MCP server can touch sensitive systems, it becomes part of the identity perimeter. That changes how teams think about least privilege, because the boundary is now defined by what the agent can invoke at runtime, not just by what the user intended at setup.
Practical implication: treat every MCP server as a privileged integration and restrict the tools and data paths it can expose.
AI agent lifecycle management and orphaned identities
AI agent lifecycle management extends IAM thinking to non-human actors that can be created quickly and forgotten just as quickly. The governing question is not only who created the agent, but who owns it, when it should be recertified, and when it should be retired. Orphaned agents are especially risky because they accumulate access after the business need fades. That is the same structural failure seen in machine identity sprawl, but now it is amplified by faster creation cycles and more dynamic agent use.
Practical implication: put AI agents into the same lifecycle controls used for other privileged identities, including ownership, review, and deprovisioning.
Threat narrative
Attacker objective: The attacker wants to turn hidden or over-privileged AI and machine identities into durable access paths for data exposure, automation abuse, or lateral movement.
- entry via exposed or undiscovered AI-related credentials, hidden agents, or connected MCP servers that were not fully inventoried or governed.
- credential or access abuse occurs when an over-scoped AI agent inherits tool reach that exceeds its purpose or ownership controls.
- impact follows when the agent can query data, invoke systems, or persist as an orphaned identity outside active oversight.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent identity is now a lifecycle problem, not a discovery problem: Token Security’s year-end framing shows the market moving beyond inventory toward governance of ownership, review, and retirement. Discovery finds the agent, but lifecycle determines whether it remains controllable after deployment. For IAM and IGA teams, the practical conclusion is that an agent without an owner is already an exposure.
Hidden AI agents create identity debt in the same way orphaned service accounts do, but at a faster tempo: The article’s focus on continuous discovery and retirement reflects a wider pattern in NHI programmes. When anyone can stand up a GPT-based agent or MCP-connected workflow, the control gap is not creation but offboarding. That makes agent sprawl a governance issue, not a tooling feature request, and practitioners should treat every uncatalogued agent as deferred risk.
MCP server exposure widens the identity perimeter around AI workflows: A connected MCP server is not just an integration point, it is a privilege boundary that can expose tools, data, and actions to an agent at runtime. That means the governance model must cover what the agent can invoke, who approved it, and whether the access is still justified. The implication for practitioners is that policy has to follow the connection, not just the user.
Standing privilege assumptions break down when machine and AI identities become dynamic: Least privilege was designed for access that remains stable long enough to be reviewed. That assumption weakens when AI agents are created, re-scoped, simulated, and retired on short cycles across multiple environments. The implication is that organisations need to rethink how they define accountable access for identities whose useful life may be much shorter than the governance cadence.
AI security and NHI governance are converging into one operating model: This article is another signal that the boundary between machine identity security and agentic AI security is collapsing. Teams that keep them separate will miss the overlap in credentials, ownership, tool access, and lifecycle review. Practitioners should unify these controls now, because the threat surface is already shared.
From our research:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase, according to The Secret Sprawl Challenge.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
- That pattern makes Ultimate Guide to NHIs , Static vs Dynamic Secrets the right next step for teams deciding how to reduce long-lived credential exposure.
What this signals
AI agent governance will increasingly be measured as an identity programme, not an AI programme: The teams that get ahead will be the ones that can inventory hidden agents, assign ownership, and prove retirement when the use case ends. The governance model has to recognise that an agent can be both a security object and an operational dependency, which is why lifecycle review will matter as much as discovery.
With 64% of valid secrets leaked in 2022 still exploitable today, per The State of Secrets Sprawl 2026, the lesson for practitioners is clear: visibility without revocation is not control. AI and machine identities will keep turning into latent access unless review, rotation, and retirement are tied together.
Identity blast radius: as more agents connect to tools, the practical question becomes how far a single hidden identity can reach before oversight intervenes. Security teams should expect agent and machine identity reviews to move closer to zero-standing-privilege design, especially where MCP servers or delegated tokens can cross system boundaries.
For practitioners
- Inventory AI agents continuously Track custom GPTs, MCP servers, autonomous agents, and machine identities in one governed register with an assigned owner and business purpose.
- Bind every AI agent to lifecycle ownership Require a named business owner, review cadence, and retirement condition for each agent so orphaned accounts do not retain access after the work ends.
- Restrict MCP-connected tool paths Limit which systems, actions, and datasets an MCP server can expose to an agent, and review those connections as privileged integrations.
- Right-size privilege before activation Simulate the agent’s intended tasks, then trim permissions to the minimum access required for that workflow and remove anything that is not explicitly justified.
Key takeaways
- The article shows that AI agent security is maturing into lifecycle governance, not just asset discovery.
- The evidence behind this shift is broadening, from new funding and product activity to the scale of hardcoded secret exposure across modern development and AI environments.
- Practitioners should respond by unifying discovery, ownership, privilege scoping, and retirement across machine identities and AI agents.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | AI agent discovery and ownership map to identity inventory controls. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access governance are central to AI agent lifecycle control. |
| NIST Zero Trust (SP 800-207) | AC-4 | MCP-connected tool access behaves like a zero-trust access boundary. |
Review AI agent entitlements against least privilege and remove access that no longer has a business need.
Key terms
- AI Agent Identity: An AI agent identity is the governed representation of a software actor that can access tools, data, or workflows on behalf of a task. In practice, it needs ownership, scope, and lifecycle controls because it can behave like a privileged non-human identity rather than a simple application component.
- MCP Server: An MCP server is an access layer that lets AI agents connect to tools and data sources through the Model Context Protocol. From an identity perspective, it matters because it can expand what an agent can reach at runtime, so it must be treated as a privileged integration boundary.
- Identity Lifecycle Management: Identity lifecycle management is the process of creating, reviewing, recertifying, and retiring identities across their useful life. For AI agents and other non-human identities, the same discipline applies, but the cadence often needs to be more continuous because access can be provisioned and forgotten quickly.
- Orphaned Identity: An orphaned identity is an account or agent that still exists but no longer has a valid business owner or active use case. In AI and NHI programmes, orphaned identities are dangerous because they often retain access long after accountability has disappeared.
What's in the full article
Token Security's full blog covers the product and market detail this post intentionally leaves for the source:
- A chronological recap of the funding, customer adoption, and product milestones that shaped the vendor's 2025 narrative.
- Descriptions of the MCP Server, AI Discovery Engine, Token AI Agent, and AI Privilege Guardian from the vendor's perspective.
- The company's own explanation of how it sees AI agent lifecycle management evolving in 2026.
- Mentions of research, conference talks, and community work that are outside the scope of this editorial analysis.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org