AI agent security exposes the gap between observability and IAM

At a glance

What this is: This is a comparison-focused analysis of AI agent security that finds observability can detect behaviour, but it does not establish the identity and access boundaries agents need.

Why it matters: It matters because IAM, PAM, and NHI programmes must decide where monitoring ends and enforceable control begins for AI agents, service accounts, and human access.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read WorkOS's analysis of Zenity's AI agent security approach and enterprise implications

Context

AI agent security is moving beyond a narrow tooling debate and into a governance problem. The primary gap is not whether teams can observe agent behaviour, but whether they can define, enforce, and audit what an agent is allowed to do in the first place. That is the core IAM question behind AI agents, and it becomes sharper as agent deployments spread across SaaS, cloud, and endpoint environments.

WorkOS uses Zenity as the comparison point, but the broader issue is category separation. Observability and response tooling can help security teams see anomalies, yet they sit above identity control. For enterprise IAM programmes, the decision is whether to treat agentic systems as visible software or as governed identities with explicit authentication, authorization, and audit requirements.

Key questions

Q: How should security teams govern AI agents that have enterprise access?

A: Security teams should govern AI agents as non-human identities with explicit authentication, authorization, lifecycle, and audit controls. Monitoring tools can help detect misuse, but they do not define access boundaries. The practical standard is to inventory every agent, bind it to an owner, and enforce least privilege with revocation paths for tokens and credentials.

Q: Why do AI agents create problems for traditional IAM programmes?

A: AI agents create problems because traditional IAM assumes access is relatively stable, attributable, and easy to certify over time. Agents can act at machine speed, spread across multiple systems, and inherit privileges that no one later reviews. That makes access reviews, offboarding, and accountability harder unless the agent is treated as a governed identity.

Q: What breaks when observability is used instead of access control for AI agents?

A: What breaks is the security boundary itself. If teams rely on observability alone, they may see suspicious agent behaviour only after the agent has already accessed data or taken action. The control gap is not detection quality, but the absence of enforceable authorization before execution.

Q: Should organisations separate AI agent monitoring from identity governance?

A: Yes. Organisations should separate AI agent monitoring from identity governance because they solve different problems. Monitoring answers what happened, while identity governance answers whether the action should have been possible. Keeping those functions distinct prevents teams from mistaking visibility for control and helps reduce over-permissioning.

Technical breakdown

AI agent observability vs authorization control

Observability platforms focus on discovering agents, mapping their actions, and detecting unusual behaviour across systems. Authorization infrastructure answers a different question: what can this identity access, when, and under which policy. Those are not interchangeable layers. An agent can be heavily monitored and still have excessive rights, weak secrets handling, or no lifecycle boundary. In practice, visibility without enforceable policy creates a detection-only model, which is too late for sensitive data access and action execution.

Practical implication: separate monitoring from access control and verify that every agent has enforceable identity boundaries before deployment.

Shadow AI detection and governance posture

Shadow AI refers to unmanaged or undiscovered AI agents operating outside formal governance. Discovery matters because hidden agents can inherit credentials, reach sensitive data, or act through approved enterprise integrations without being in the security team's inventory. AI security posture management tries to close that gap at build time by identifying over-permissioning and policy drift before agents are active. The technical limitation is that posture tools reduce exposure, but they do not replace a control plane that issues identities, enforces authorization, and governs offboarding.

Practical implication: inventory all agent deployments and tie discovery to access review, offboarding, and policy enforcement workflows.

Why agent behaviour baselines do not replace identity governance

Behavioural detection looks for deviations in the sequence of actions an agent takes, including prompt injection patterns, data leakage attempts, or unexpected autonomous steps. That can be useful for response, but it is still a downstream signal. Identity governance determines whether the behaviour should have been possible at all. A platform that tracks intent and action sequence may reduce dwell time, yet it cannot correct over-granted access, unmanaged secrets, or missing separation between agent identity and enterprise privilege.

Practical implication: use behavioural detection as a compensating control, not as a substitute for least privilege and credential governance.

Threat narrative

Attacker objective: The objective is to use the AI agent's access path to reach sensitive data or perform actions that appear legitimate to the surrounding systems.

1. Entry occurs when an AI agent is introduced into enterprise systems through SaaS, cloud, or endpoint integrations and inherits access patterns that are not fully governed.
2. Credential access or abuse follows when the agent operates with over-permissioned identity, unmanaged secrets, or tokens that outlive the deployment decision.
3. Impact occurs when the agent accesses sensitive data, takes unintended actions, or creates an audit blind spot that security teams cannot reconstruct fully.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent security is becoming an identity governance problem before it is a detection problem. The article shows a clear split between visibility tooling and enforceable access control. That split matters because most enterprise security programmes still treat monitoring as if it can compensate for undefined authority. The correct conclusion is that AI agents must be governed as identities, not just observed as software.

Visibility without authorization control creates a false sense of containment. An agent that is continuously monitored can still reach data or execute actions it should never have had access to in the first place. That is why behavioural tooling cannot be the primary control plane for agentic systems. Practitioners should treat observability as evidence collection, not access governance.

Shadow AI is the named concept here: unmanaged agents create invisible identity sprawl. Once agents exist across SaaS, cloud, and endpoint environments, the governance problem looks less like one deployment and more like a distributed NHI estate. This is where discovery, policy, and lifecycle controls converge. Security teams need one inventory model that can support both human and machine identity oversight.

Enterprise AI security will increasingly converge with NHI governance rather than sit apart from it. The article's comparison makes the field direction clear: security teams are being pushed toward a model where authentication, authorization, auditability, and lifecycle management apply consistently across humans, workloads, and agents. The implication is that AI agent programmes cannot be run as a special-case exception to IAM.

Behavioural detection is a downstream control, but identity boundaries decide the blast radius. Intent-focused monitoring can shorten response time, yet the real boundary is whether an agent was ever allowed to reach the target system, token, or dataset. That is the governance line practitioners should defend first.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• For a governance framework that goes beyond monitoring, review Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that drive NHI sprawl.

What this signals

Identity programmes should assume that AI agent adoption will outpace manual governance unless discovery is automated. The article points to a market pattern where observability is being sold as security, but the reader's programme needs a stronger answer: enforceable identity boundaries, not just better dashboards. With 92% of organisations agreeing that governing AI agents is critical yet only 44% having policies in place, the gap is already operational rather than theoretical.

Shadow AI should be treated as an identity inventory problem, not only an app discovery problem. If security teams cannot reconcile agents, tokens, and delegated access across environments, they cannot prove who or what touched sensitive data. That is why agent governance should be folded into the same review rhythm used for high-risk service accounts and privileged integrations.

The practical signal for IAM leaders is that agentic AI governance is converging with NHI lifecycle control. Teams that already manage service account visibility, revocation, and access certification will adapt faster than teams that have treated AI agents as a separate security category.

For practitioners

• Separate observability from authorization Map every AI agent control to one of three layers: discovery, policy enforcement, or runtime response. If a control only detects behaviour, do not count it as proof that access is governed. The key test is whether the agent can be stopped from acting before a sensitive action completes.
• Inventory shadow AI across all deployment paths Track agents in SaaS-managed, home-grown, and device-based environments, then reconcile them against your identity inventory. Include service-owned integrations, tokens, and non-human credentials that may let an agent act without being visible in the primary IAM stack.
• Apply lifecycle governance to agent identities Require joiner-mover-leaver handling for AI agents just as you would for service accounts. Offboarding must remove access, revoke tokens, and retire any agent-specific permissions before the system is decommissioned or repurposed.
• Use behavioural detection as a compensating control Keep intent-based monitoring for prompt injection, policy drift, and unusual action sequences, but treat it as secondary evidence. The control objective is to reduce dwell time after a failure, not to justify weak identity setup in the first place.

Key takeaways

• AI agent security fails when teams confuse behavioural monitoring with enforceable identity control.
• Visibility gaps are already material: many organisations cannot audit what their AI agents access, which creates compliance and breach-investigation blind spots.
• The right response is to govern AI agents as identities with inventory, authorization, lifecycle, and auditability, not as software that can be watched after the fact.

Key terms

• AI Agent Observability: AI agent observability is the practice of tracking what an agent does across systems, including actions, permissions, and data access. It provides visibility into behaviour, but it does not by itself establish what the agent was authorised to do or when access should be revoked.
• Shadow AI: Shadow AI is an AI agent or AI-enabled system operating outside formal inventory, approval, or governance. In identity terms, it is unmanaged non-human access that can inherit credentials, reach data, and create audit blind spots without a clear owner or offboarding path.
• AI Security Posture Management: AI Security Posture Management is the set of controls used to find misconfigurations, over-permissioning, and policy drift in AI deployments before or during operation. It reduces exposure, but it must be paired with identity controls that define access, enforce authorisation, and handle lifecycle changes.
• Behavioural Detection: Behavioural detection is a control that looks for suspicious sequences of actions rather than static indicators alone. For AI agents, it helps identify prompt injection, data leakage, or unexpected execution paths, but it remains a response-layer capability rather than a substitute for least privilege.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing controls for autonomous systems alongside service accounts and human users, it is worth exploring.

This post draws on content published by WorkOS: Zenity for AI Agent Security, features, pricing, and alternatives. Read the original.