By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Agentic AI & NHIsSource: Andromeda Security

TL;DR: AI agents can book meetings, triage incidents, ship code, and approve purchases by chaining tool calls across apps, making the application itself the attack surface, according to Andromeda Security. The decisive gap is that governance must evaluate the human, agent, and action together in real time, because legacy role assignments and reactive controls cannot keep pace with agent execution.


At a glance

What this is: This is Andromeda Security's analysis of why AI agent governance must move from agent-centric controls to an application perimeter built around the human, agent, and action triad.

Why it matters: It matters because IAM, NHI, and human access programmes all break down if they evaluate identity, intent, or action in isolation while agents are chaining live tool calls across business applications.

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

👉 Read Andromeda Security's analysis of AI agent security and the application perimeter


Context

AI agent security is the problem of governing software that can decide which tools to call, in what order, and at what speed. The article argues that the real control point is not the agent alone but the application perimeter around the tools it can discover and chain.

For IAM teams, the shift matters because access is no longer a static entitlement question. It becomes a real-time evaluation problem across the human sponsor, the agent acting, and the action being attempted, with NHI and human risk now linked through the same call chain.

That is a typical pressure point for early agentic programmes: teams start by trying to contain the agent, then discover the application layer is where misuse, privilege expansion, and cross-system reach actually emerge.


Key questions

Q: How should security teams govern AI agents that can call multiple applications?

A: They should govern the applications and tool calls, not just the agent identity. That means evaluating the human sponsor, the agent, and the requested action together at runtime, then enforcing reusable policy at the application perimeter. The goal is auditable, context-aware authorisation, not a bigger list of static permissions.

Q: Why do AI agents complicate traditional access control models?

A: Agents complicate access control because they can chain tool calls across systems, discover new endpoints at runtime, and act faster than reactive controls can respond. Traditional models assume a stable subject and a discrete request. Agentic behaviour turns authorisation into a live decision about intent, context, and downstream reach.

Q: What breaks when teams only review the human or the agent?

A: You miss the full risk context. A low-risk human can trigger a high-risk agent action, and a constrained agent can still become dangerous if the requested action touches sensitive applications. The triad exists because evaluating any two of the three elements leaves a governance gap in the call chain.

Q: Who should own AI agent governance in an IAM programme?

A: Ownership should sit across IAM, NHI, and application security because the control problem spans identity, entitlement, and tool surfaces. The practical model is shared accountability with clear runtime decision rules, so the agent's reach, the user's context, and the application's sensitivity are governed together.


Technical breakdown

Application perimeter in AI agent security

The application perimeter is the idea that the protected boundary is no longer just the user, device, or network. In an agentic flow, each application exposes callable tools, APIs, and permissions that an agent can discover and chain at runtime. That makes the application itself the attack surface. Traditional controls that assume a person triggers one request at a time do not fit when a single agent can traverse several applications in one session. The perimeter must therefore follow the tool surface, not just the identity subject.

Practical implication: classify critical applications as governed tool surfaces and evaluate which agent actions are permitted at each interface.

The access evaluation triad: human, agent, action

The article's triad is a useful governance primitive because it captures the three things that actually determine whether an agentic action should proceed. The human is the sponsor or owner, the agent is the runtime actor, and the action is the specific operation being requested. Evaluating only the agent identity or only the user identity misses the combined risk context. In practice, this is closer to dynamic authorisation than to traditional role assignment because the decision depends on who is behind the agent and what that agent is about to do.

Practical implication: move authorisation decisions to the point of action and require all three triad elements before a tool call is allowed.

Composable policy for runtime agent governance

Composable policy means the organisation can express reusable rules that combine identity, intent, device context, and application risk without hard-coding one-off exceptions. That matters because agents scale faster than manual governance can track. The article's point is not that policy should be stricter, but that it must be machine-evaluable and reusable across populations. This also reframes access review: if the policy cannot be compiled into an auditable runtime decision, it is too weak for agentic execution.

Practical implication: define reusable policy objects for agent action, sponsor context, and application sensitivity, then enforce them at runtime.



NHI Mgmt Group analysis

AI agent security is really application security with identity semantics attached. The article is right to move the control boundary from the agent as a generic actor to the applications it can reach. That reflects a deeper field reality: once agents can discover tools and chain calls across systems, the app becomes the operative perimeter and identity becomes the decision fabric. Practitioners should treat the application layer as the control plane for agentic access, not as a downstream integration detail.

The access evaluation triad is the right abstraction because neither human IAM nor NHI governance is sufficient on its own. A human sponsor can be low risk in one context and high risk in another; an agent can be authorised in principle but dangerous in a specific action sequence. The article's triad forces decisioning at the combined human, agent, and action level, which is exactly where legacy role models break down. That is the governance shift programmes need to internalise.

Identity graph risk now flows both ways between human access and agent reach. The article correctly points out that access to an agent can become a lateral path into every application that agent can touch. That means the old separation between human entitlement risk and machine entitlement risk is eroding. The practical conclusion is that identity governance has to model delegated reach, not just direct grants.

Policy composition is the named concept this category needs: reusable rules for runtime agent decisions. Static approval workflows are too slow for agent speed, and isolated app rules do not scale across dozens of tool calls. Composable policy is what allows the field to move from reactive containment to enforceable intent. Practitioners should recognise that any agent programme without reusable policy expression will drift into manual exceptions almost immediately.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
  • For related NHI governance context, see The 52 NHI breaches Report for the control failures that emerge when machine identities outlive their intended scope.

What this signals

Policy composition will become the differentiator in agent governance programmes. Teams that can express the human, agent, and action triad as reusable policy will move faster than teams trying to bolt approvals onto legacy role models. The pressure point is not whether agents are useful. It is whether the organisation can compile intent into real-time access decisions without falling back to manual exceptions.

Identity graphs now need to map delegated reach, not just direct entitlement. A person with access to an agent may indirectly inherit reach into every application that agent can call, which changes how privilege review should work across IAM and NHI programmes. For the broader context on how machine identities fail when access is not lifecycle-aware, see The 52 NHI breaches Report.

As agent populations expand, the operational signal to watch is whether application teams still treat tool access as an integration issue. Once that happens, governance becomes reactive and fragmented. The more resilient pattern is to treat each high-value application as a controlled surface with explicit runtime rules for agentic access, sponsor context, and auditability.


For practitioners

  • Define governed application perimeters Inventory the applications that expose callable tools, APIs, or workflows an agent can reach, then classify them by business sensitivity and abuse potential.
  • Enforce triad-based authorisation Require the human sponsor, agent identity, and requested action to be evaluated together at runtime before a tool call is approved.
  • Build composable policy for agent actions Encode reusable rules for sponsor context, agent scope, and application risk so approvals are consistent across teams and workloads.
  • Link human access to downstream agent reach Review whether access to an agent implicitly grants lateral reach into the applications that agent can call, especially for contractors and elevated roles.

Key takeaways

  • AI agent governance fails when teams treat the agent as the boundary instead of the applications it can call.
  • The strongest evidence in the article is the need for real-time evaluation of the human, agent, and action together before access is granted.
  • Practitioners should move toward composable policy and governed application perimeters so agentic access can be authorised, audited, and limited at runtime.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent tool chaining and runtime decisions map directly to agentic application risk.
NIST AI RMFGovernance and accountability are central to deciding who can authorize agent actions.
NIST CSF 2.0PR.AA-01Identity and access governance is required for triad-based runtime authorisation.

Assign clear ownership for agent decisions and document the governance process for each high-risk action.


Key terms

  • Application Perimeter: The application perimeter is the boundary formed by the tools, APIs, and actions an identity can reach inside a business system. For AI agents, it becomes the real enforcement point because the agent may discover and chain calls across multiple applications, making the application surface more important than the login event.
  • Access Evaluation Triad: The access evaluation triad is the three-part decision set of human sponsor, acting agent, and requested action. It exists because no single element fully describes risk in an agentic workflow. The triad makes authorisation context-aware and is especially useful when the same agent can act for different users.
  • Composable Policy: Composable policy is a reusable policy design that combines identity, context, and action rules into machine-evaluable decisions. In agentic environments, it matters because one-off approvals do not scale. The policy must be able to express intent once and enforce it consistently across many tool calls and applications.

What's in the full article

Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:

  • How the policy engine is intended to evaluate the human, agent, and action triad in real time
  • The application-centric onboarding model for treating each app as a governed tool surface
  • The article's reasoning on how group-level intent can be turned into enforceable access decisions
  • The vendor's description of how human context changes the rules governing agent actions

👉 The full Andromeda Security article expands on policy composition, tool-surface governance, and the human-agent-action triad.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org