TL;DR: Ungoverned AI agents are already creating measurable cost through secrets management drag, audit overruns, and standing credential exposure, according to Opnova's analysis, which also cites developer time loss, exploitable stale credentials, and multi-million-dollar compliance burdens. The real issue is that existing joiner-mover-leaver and certification processes were built for stable identities, not rapidly multiplying agents that inherit human credentials.
At a glance
What this is: This is an Opnova analysis arguing that AI agent sprawl is already an operational and compliance cost, not just a future breach risk.
Why it matters: It matters because IAM, IGA, PAM, and NHI teams need to treat agent identity governance as a budgeted control problem before audit findings and remediation cycles expand the cost further.
By the numbers:
- GitGuardian found that 64% of credentials confirmed valid in 2022 were still exploitable four years later.
- McKinsey's 2025 State of AI survey found 62% of organisations are at least experimenting with AI agents.
- Only 23% have scaled an AI agent into even a single business function, according to McKinsey.
👉 Read Opnova's analysis of the business case for governing AI agents
Context
AI agent identity sprawl is a governance problem when new agent accounts, keys, and grants appear faster than identity teams can inventory, certify, and revoke them. The issue is not only breach exposure. It is the compounding cost of unmanaged credentials, manual review cycles, and audit evidence that arrives too late to prevent control drift.
For identity programmes, the relevant question is whether AI agents are being treated as first-class identities with joiner, mover, and leaver handling, or as borrowed extensions of human access. When agents inherit human credentials, the organisation loses clean accountability, clean offboarding, and a reliable boundary for least privilege. That is already typical in open-ended agent adoption, which is why the problem scales so quickly.
Key questions
Q: How should security teams govern AI agents that are created outside normal joiner workflows?
A: Security teams should bring AI agents into the same lifecycle discipline used for other identities, but with explicit ownership, inventory, and revocation paths. If an agent can be created outside approved workflows, it should not be allowed to inherit human credentials without a record of scope, purpose, and offboarding. That is the point where governance starts.
Q: Why do AI agents increase audit risk even when no breach has occurred?
A: AI agents increase audit risk because they expand the number of identities, credentials, and approvals that must be explained to auditors. If those agents are not in certification scope, the organisation cannot prove ownership, least privilege, or revocation. The result is audit delta, which becomes a finding even before an incident occurs.
Q: What breaks when agents use borrowed human credentials?
A: Borrowed human credentials break ownership, leaver handling, and evidence quality. The organisation can no longer tell whether the human or the agent performed an action, and revocation becomes uncertain because the access was never native to the agent. That makes the identity ungovernable in practice, even if it appears functional.
Q: Who is accountable when an AI agent's access is never revoked?
A: Accountability sits with the team that allowed the agent to operate without a lifecycle record, a named owner, and a revocation path. If the organisation cannot show who approved the access, who reviewed it, and who removed it, the control failure is governance, not tooling. Identity ownership must be explicit before deployment.
Technical breakdown
Why AI agent sprawl turns secrets management into a control burden
AI agents increase the number of identities that need credentials, ownership, review, and revocation. In practice, that means more API keys, service accounts, OAuth grants, and environment secrets that must be tracked across systems that were never designed to share a single governance model. The burden is not just the count of secrets. It is the absence of reliable lifecycle control, which leaves manual review as the default and makes stale access hard to remove at scale. Practical implication: if the identity team cannot inventory every agent credential, the programme is already operating below minimum governance fidelity.
Practical implication: if the identity team cannot inventory every agent credential, the programme is already operating below minimum governance fidelity.
Why access certification breaks down for agent identities
Access certification assumes a stable identity population, a documented owner, and a review window long enough for access to be observed and recertified. AI agents often bypass that model because they are created outside normal joiner workflows, accumulate standing privileges quickly, and may never appear in a certification campaign. That creates an audit delta, where the organisation can no longer prove who owns what, why it exists, or whether it still needs access. Practical implication: certification scope must explicitly include agents, or the review process will continue to certify only the identities that are easiest to see.
Practical implication: certification scope must explicitly include agents, or the review process will continue to certify only the identities that are easiest to see.
How agent platforms create governance drag compared with bounded solutions
Open-ended agent platforms let teams create many agents with broad, shifting access patterns. That increases governance drag because each agent can become its own identity, credential set, and audit object. By contrast, bounded AI-native solutions usually constrain task scope more tightly, which reduces the number of moving parts identity teams must govern after deployment. The difference is not branding. It is whether the organisation is retrofitting governance onto a sprawling runtime or embedding it into a narrow use case from the start. Practical implication: product review should include identity lifecycle fit, not just model capability.
Practical implication: product review should include identity lifecycle fit, not just model capability.
Threat narrative
Attacker objective: The objective is to exploit governance gaps around agent identity so that access persists, spreads, and becomes difficult to audit or remove.
- Entry occurs when AI agents are created with standing credentials or inherited human access, giving them immediate reach into production systems.
- Escalation follows when the agent population grows faster than identity governance can inventory, certify, or revoke access, creating unmanaged privilege spread.
- Impact lands as audit overruns, remediation work, and larger attack surface because the organisation cannot reliably prove ownership, scope, or offboarding.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent sprawl is becoming an identity governance tax, not just a security risk. The article's strongest point is that the cost starts long before a breach. Manual secrets handling, certification overhead, and audit remediation all accumulate because agent identities multiply faster than governance can keep up. For identity leaders, the implication is simple: the first control question is no longer whether agents are useful, but whether the programme can absorb them without turning every release into an access review problem.
Borrowed human credentials are the wrong foundation for agent governance. An agent that runs under a person's access collapses accountability, ownership, and leaver handling into the wrong identity class. That breaks the joiner-mover-leaver model because the system can no longer distinguish what the human did from what the agent did, which is a classic NHI governance failure. Practitioners should treat credential inheritance as a design flaw, not a convenience.
Standing privilege is the cost centre that turns agent sprawl into audit debt. The article is right to connect unrotated secrets, idle grants, and certification gaps into one budget line. That is the same pattern seen across NHI estates: access persists longer than the business justification, and the clean-up falls onto the next audit cycle. Teams that cannot measure standing privilege by agent will keep discovering the problem after the fact.
Ephemeral credential trust debt: This article exposes a familiar governance assumption that still shapes IAM and IGA programmes. The assumption is that access lives long enough to be reviewed, recertified, and revoked on a human schedule. That assumption fails when agents can be created in volume, inherit access instantly, and accumulate permissions faster than the review cycle can see them. The implication is not a new checkbox, but a different operating model for identity lifecycle control.
Open-ended agent platforms are pushing identity governance toward lifecycle-first design. The governance challenge is not isolated to AI. It is forcing IAM, PAM, and NHI teams to think in terms of ownership, scope, and offboarding across every non-human identity class. That will favour programmes that can bind identity to lifecycle from birth, because retroactive control will keep arriving too late to matter.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
- For a broader breach lens, see 52 NHI Breaches Analysis for root-cause patterns that help teams separate one-off mistakes from repeatable governance failure.
What this signals
Ephemeral credential trust debt: the longer an organisation waits to put agents into lifecycle control, the more governance debt it accumulates across secrets, ownership, and certification. That debt is visible in NHI programmes today, where compromised identities rarely stay singular and the clean-up burden rolls into later cycles.
The practical signal is that agent governance will increasingly sit inside IAM operating models, not beside them. Teams that can connect inventory, owner assignment, and offboarding to a single identity record will absorb new agent use cases with less audit friction and lower exposure growth.
For practitioners
- Inventory every agent identity and credential path Build a current list of all AI agents, their owners, their credentials, and the systems those credentials can reach. If the inventory cannot be produced quickly, treat that gap as a governance finding and not a documentation issue.
- Extend joiner, mover, and leaver workflows to agents Require each agent to have a named owner, a defined purpose, and a revocation path before it reaches production. Do not let agents inherit human credentials without an explicit lifecycle record that survives role change and shutdown.
- Measure standing privilege by agent population Track how many agents hold standing credentials, how many of those credentials have rotated, and how many are outside certification scope. Use the result to prioritize the identities most likely to create audit delta or exposure.
- Separate bounded use cases from open-ended platforms Prefer deployments where the agent's task scope, data access, and execution boundaries are explicit. This reduces the number of identity objects that must be governed after launch and makes access reviews tractable.
Key takeaways
- AI agent sprawl is already a measurable governance cost because it multiplies credentials, audit effort, and manual remediation.
- Agent identities that inherit human access weaken ownership and offboarding, which makes lifecycle control harder to prove and easier to fail.
- Identity teams should treat agent inventory, certification scope, and standing privilege as operational controls, not future planning items.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Agent sprawl and borrowed credentials map to core NHI lifecycle and ownership gaps. |
| NIST CSF 2.0 | PR.AC-1 | Identity management and access control are central to agent lifecycle governance. |
| NIST Zero Trust (SP 800-207) | The article's lifecycle and least-privilege concerns align with zero trust access assumptions. | |
| NIST SP 800-53 Rev 5 | IA-5 | Credential management is directly implicated by unrotated agent secrets and standing access. |
| NIST AI RMF | GOVERN | AI governance is needed where agents are treated as operational identities. |
Apply zero trust principles so agent access is explicitly granted, monitored, and reduced when task scope changes.
Key terms
- Agent Identity Lifecycle: The full sequence of creating, operating, changing, and removing an AI agent's access. In practice, it means the agent must have a named owner, defined scope, and a reliable offboarding path, just like any other governed identity.
- Audit Delta: The gap between the identities an organisation can prove are in scope and the identities actually operating in production. For AI agents, audit delta appears when credentials, owners, or certifications are missing, making compliance evidence incomplete even when systems appear functional.
- Standing Privilege: Access that remains active without a time limit or task boundary. In agent governance, standing privilege is risky because it lets identities keep reaching systems long after the original business need has changed, which increases both exposure and audit burden.
What's in the full article
Opnova's full blog covers the operational detail this post intentionally leaves for the source:
- The cost-model walkthrough that estimates engineering drag, audit delta, and breach exposure from agent sprawl.
- The distinction between open-ended agent platforms and bounded AI-native solutions in lifecycle governance terms.
- The discussion of regulatory pressure, including how auditors and regulators may interpret agent access and separation-of-duties gaps.
- The article's full framing of joiner, mover, and leaver handling for AI agents as a workforce governance problem.
👉 Opnova's full blog covers the cost model, audit exposure, and lifecycle gap behind agent sprawl.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org