By NHI Mgmt Group Editorial TeamPublished 2026-02-24Domain: Agentic AI & NHIsSource: Elisity

TL;DR: AI agents move laterally, create shadow connections, and abuse service-account or API-key access across enterprise networks faster than endpoint tools can reliably contain, according to Elisity. Identity-based microsegmentation shifts enforcement into the network data plane, but it still leaves authorised-channel abuse and discovery gaps that security teams must plan around.


At a glance

What this is: This is an analysis of why network-layer, identity-based microsegmentation is being positioned as a missing containment control for AI agent security, with a focus on lateral movement, shadow AI, and non-human identity sprawl.

Why it matters: It matters because IAM, NHI, and security architecture teams need controls that still work when AI agents move outside human-paced approval and detection loops.

By the numbers:

👉 Read Elisity's analysis of AI agent network security and microsegmentation


Context

AI agent security is no longer a theoretical edge case. The core problem is that autonomous systems communicate over networks, inherit identities, and can move laterally across enterprise environments without fitting neatly into endpoint-centric controls or human IAM workflows.

Elisity argues that identity-based microsegmentation is the missing containment layer because it governs what an AI agent can reach at the network level rather than relying on the agent’s host or on manual approval loops. That framing is increasingly relevant as agentic AI spreads faster than governance models can be updated.

The article’s own numbers reinforce the gap: security leaders are already treating agentic AI as a top attack vector, while most AI agents still go live without full security approval. That starting position is now typical, not exceptional.


Key questions

Q: How should security teams contain AI agents that can move laterally across the network?

A: Security teams should treat AI agents as network-reachable identities and constrain them with identity-based microsegmentation. The goal is to remove unauthorized paths before they can be used, not just detect movement after the fact. That works best when discovery, least privilege, and network enforcement are aligned across sanctioned and shadow agents.

Q: Why do AI agents complicate existing IAM and zero trust assumptions?

A: AI agents complicate IAM and zero trust because they can hold legitimate credentials while still behaving unpredictably at runtime. Traditional controls assume the actor’s scope is known and stable enough to review or certify. When the actor can alter activity dynamically, the governance model needs a network-level containment layer as well.

Q: What breaks when shadow AI is not discovered before policy design?

A: When shadow AI is not discovered first, policy is built on an incomplete inventory and cannot reliably enforce least privilege. Teams may protect approved systems while leaving unsanctioned agents free to open connections or move laterally. Discovery is therefore a control dependency, not an optional visibility exercise.

Q: Who is accountable when an AI agent causes network exposure or data movement?

A: Accountability should sit with the team that approved the identity, scope, and containment model for the agent, not with the agent itself. That means IAM, security architecture, and platform owners all need a shared control definition for reachability, lifecycle, and response. Without clear ownership, containment gaps persist even when the tooling exists.


Technical breakdown

Why AI agents break endpoint-centric security assumptions

AI agents are not just applications with scripts attached. They can authenticate, open network sessions, call APIs, and adapt actions across a workflow in ways that create moving trust boundaries. Endpoint controls see activity only where the agent runs, which means they share the same attack surface as the system they are trying to govern. If the agent has local privilege, it can often tamper with or bypass host-level controls. Network enforcement changes the question from what the agent can do on the host to what it can reach across the enterprise.

Practical implication: move containment decisions to a layer the agent cannot directly inspect or alter.

Identity-based microsegmentation and least-privilege network paths

Identity-based microsegmentation assigns policy to the workload or agent identity rather than to IP ranges or broad network zones. That matters because AI agents are dynamic, ephemeral, and often non-deterministic, so static zone-based assumptions do not hold. A least-privilege policy can define which protocols, destinations, and peers an agent may use, even when the underlying host changes. Agentless enforcement is especially important because it avoids putting another software control on the same endpoint the agent can already influence.

Practical implication: scope each agent to the smallest reachable set of services, protocols, and peers.

Shadow AI and non-human identity discovery

Shadow AI becomes a network security problem the moment employees deploy agents without IT approval. Those agents may still open outbound connections, use embedded keys, or initiate east-west traffic that never passes through traditional approval workflows. Discovery is therefore a prerequisite, not a side task. If teams cannot inventory sanctioned and unsanctioned agents, they cannot attach meaningful policy or prove containment. This is where NHI governance and network telemetry need to converge, because identity without discovery is only partial visibility.

Practical implication: build an inventory of sanctioned and shadow AI agents before policy design begins.


Threat narrative

Attacker objective: The attacker wants to turn a legitimately deployed AI agent into a fast-moving access path for lateral movement, data exposure, or operational disruption.

  1. Entry occurs when an AI agent is deployed with API keys, service accounts, or persistent tokens that allow it to open enterprise network connections.
  2. Escalation happens when the agent uses its legitimate access to enumerate reachable systems, expand communication paths, or pivot laterally at machine speed.
  3. Impact follows when the agent reaches systems or data it was never intended to touch, enabling exfiltration, unsafe actions, or broader compromise across network segments.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity-based network containment is becoming a first-class control for AI agent governance. Endpoint and IAM controls still matter, but they do not solve the problem of agent-driven east-west movement once an AI system is active on the network. Microsegmentation moves enforcement to a place the agent cannot easily observe or alter, which changes the containment model for both sanctioned and shadow deployments. Practitioners should treat network reachability as a governance object, not just a transport concern.

Shadow AI creates an NHI discovery problem before it becomes a policy problem. If agents are deployed without approval, the organisation does not know what identities exist, what keys they hold, or what paths they can use. That is a governance failure, not just a visibility gap, because policy cannot be correct when the inventory is incomplete. Teams should reframe discovery as the prerequisite for all downstream NHI controls.

Least privilege at the network layer is the control that survives agentic behaviour. Human-paced reviews, endpoint agents, and static zones all assume that the subject under control is predictable enough to be boxed in ahead of time. AI agents invalidate that assumption by changing actions in real time while still presenting legitimate credentials. Practitioners need to stop treating the network as a passive substrate and start treating it as the containment boundary.

Agent security is converging with broader NHI governance, not replacing it. Microsegmentation can reduce blast radius, but it cannot fix over-permissioned identities, stale tokens, or poor offboarding. That means the security model has to combine discovery, lifecycle control, and network enforcement rather than hoping one layer will compensate for the others. The field is moving toward layered governance for autonomous systems, and that shift is already visible in enterprise practice.

Identity-based microsegmentation is the right answer only when organisations accept that autonomous agents behave like non-human identities with network side effects. The real shift is conceptual: teams must govern reachability, not just authentication. That is the practical dividing line between managing a tool and governing an actor.

From our research:

  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which keeps the human-side control gap wide open.
  • That governance gap pairs with AI Agents: The New Attack Surface report, where 80% of organisations said agents already acted beyond intended scope.

What this signals

Identity-based microsegmentation is becoming a practical boundary for AI agent programmes because the control can still work after the endpoint trust model fails. For teams building AI agent governance, that means the network now has to be part of the identity stack, not just the infrastructure stack. The broader lesson is that containment must follow the actor, not the device.

With 80% of organisations reporting AI agents acting beyond intended scope, per AI Agents: The New Attack Surface report, the next planning question is not whether to govern agents, but where the enforcement point lives. If the policy can be seen and changed by the same host the agent controls, the containment model is too weak for autonomous behaviour.

Teams should expect NHI lifecycle, discovery, and network policy to converge in the same operating model. The organisations that get ahead will treat agent identity, allowed reachability, and offboarding as one control chain instead of three separate projects.


For practitioners

  • Inventory all sanctioned and shadow AI agents Build a living register of agents, the identities they use, and the network paths they open. Include approved IDE extensions, orchestration tools, and any agent that can initiate outbound or east-west traffic. This is the minimum input needed before policy can be made reliable.
  • Attach network policy to agent identity Replace broad zone-based assumptions with identity-aware rules that define exact destinations, protocols, and peer relationships. Use least-privilege segmentation so a compromised agent cannot pivot simply because it sits inside an otherwise trusted subnet.
  • Separate enforcement from the endpoint Prefer agentless controls in the network data plane so the AI system cannot disable the mechanism governing its movement. That design choice matters most when agents have local privileges or when the endpoint is unmanaged or ephemeral.
  • Pair microsegmentation with NHI lifecycle governance Review whether every API key, service account, and token used by an AI agent has a clear owner, expiry, and offboarding path. Network containment reduces blast radius, but stale credentials still create avoidable reachability.

Key takeaways

  • AI agents create a containment problem that endpoint controls alone are not designed to solve.
  • The evidence points to a widening governance gap, with many agents still deployed without full security approval or formal policy.
  • Practitioners need identity-based microsegmentation plus NHI lifecycle control if they want blast-radius reduction that survives agentic behaviour.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on AI agent containment and identity-aware control gaps.
OWASP Non-Human Identity Top 10NHI-03The post focuses on identity scope, discovery, and containment for non-human actors.
NIST CSF 2.0PR.AC-4Least-privilege access and network reachability are central to the article.
NIST Zero Trust (SP 800-207)The article argues for enforcement below the endpoint, consistent with Zero Trust.
NIST AI RMFMANAGEAI agent risk treatment and containment sit in the Manage function.

Use agentic-AI controls to limit tool reach, network scope, and privilege boundaries for autonomous systems.


Key terms

  • Identity-based microsegmentation: A network control model that assigns access rules to an identity rather than to a broad IP range or subnet. For AI agents, it limits which systems, protocols, and peers can be reached, so movement is constrained even when the agent is active and the host is compromised.
  • Shadow AI: AI tools or agents deployed without formal IT or security approval. In practice, shadow AI creates an inventory and enforcement problem because teams cannot govern what they cannot see, and unapproved agents often open network paths before security controls are aware of them.
  • Agentless enforcement: A containment approach that applies policy from the network infrastructure instead of from software installed on the endpoint. This matters for autonomous systems because it reduces the chance that the actor being governed can inspect, tamper with, or disable the control itself.
  • Non-human identity: A digital identity used by software, workloads, service accounts, API keys, tokens, certificates, or AI agents rather than by a person. In AI agent programmes, NHI governance extends lifecycle, reachability, and privilege control to actors that can act without direct human pacing.

What's in the full article

Elisity's full post covers the operational detail this analysis intentionally leaves for the source:

  • Network-level comparison of agentless microsegmentation versus endpoint-based enforcement for AI agent containment
  • The five threat vectors the vendor maps to agentic AI, including lateral movement, shadow AI, and NHI proliferation
  • Implementation guidance for identity-aware policy design across sanctioned and shadow agents
  • The article's own view of how microsegmentation fits alongside Zero Trust and NIST-aligned controls

👉 The full Elisity post covers threat vectors, enforcement models, and limitations in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity security capability across human, machine, or autonomous systems, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org