AI agents and synthetic identities expose new identity drift risks

At a glance

What this is: This analysis shows how AI agents and synthetic identities can accumulate legitimate access faster than rule-based identity controls can define new detections.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes now need to govern identity drift across both machine-driven and human-facing access paths before normal-looking behaviour becomes authorised exposure.

By the numbers:

• 80% of organisations
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

👉 Read Abnormal AI's analysis of AI agent permission creep and synthetic identity risk

Context

Identity controls fail when they depend on prewritten signatures for behaviour that has no stable signature yet. In this case, AI agents accumulated permissions across SaaS applications and synthetic candidates gained real directory identities, showing that identity and access deviation can arrive before any traditional detection rule exists.

For IAM and NHI teams, the problem is not only access issuance. It is the gap between legitimate-looking identity creation and the moment privilege drifts beyond intended scope, which means behavioural visibility and lifecycle governance now have to work together.

Key questions

Q: How should security teams handle permission creep for AI agents across SaaS apps?

A: Security teams should treat permission creep as a lifecycle and governance problem, not only a detection problem. Track entitlements per identity, compare current access against original task scope, and flag cross-app write access that grows without explicit business justification. Behavioural monitoring helps, but the control objective is to keep access aligned with intent as the agent operates.

Q: Why do synthetic job candidates create IAM risk even after they are approved?

A: Because approval can be based on a convincing but false identity, and downstream systems often trust the directory record once it exists. If the onboarding step fails to verify the real person, the account may receive legitimate access that is hard to distinguish from a normal hire. The risk is upstream of authentication and persists through the lifecycle.

Q: What breaks when identity security depends only on new detection rules?

A: Rule-only security breaks when the attack has no known signature yet. Novel identity abuse, especially in AI-heavy workflows, can appear legitimate until the access pattern has already expanded. Teams need behavioural baselines and governance controls because a rule can only catch what someone has already described in policy or detection logic.

Q: How do IAM teams know whether behavioural detection is working for identity abuse?

A: Look for earlier detection of identity drift, fewer unexplained entitlement expansions, and faster review of access that crosses normal task boundaries. If behavioural tooling only confirms incidents after wide access accumulation, it is acting as after-the-fact evidence collection rather than prevention. The test is whether it surfaces deviation before scope becomes operationally broad.

Technical breakdown

Permission creep in AI agents across SaaS apps

Permission creep occurs when an identity accumulates more access over time than its original task required. For AI agents, that can happen without compromise: the agent interacts with multiple SaaS applications, inherits new entitlements through workflow adjacency, and expands its write surface as normal operation continues. The problem is not just excess privilege. It is that the access pattern looks incremental and legitimate until the accumulated scope is far broader than the initial intent. Traditional rule-based detections are weak here because they look for discrete violations, not drift across many small approvals or inherited permissions.

Practical implication: monitor entitlement growth by identity, not just event-by-event anomalies, and treat cross-SaaS write access as a lifecycle control problem.

Synthetic job candidates and identity proofing failure

Synthetic job candidates exploit the gap between hiring workflow trust and identity assurance. AI-generated resumes and coached screening calls can produce a convincing candidate long enough for a real offer, after which the attacker acquires a legitimate directory identity and downstream system access. The failure is upstream of authentication. Once the identity exists in the directory, many controls assume the person behind it is real, approved, and bound by employment lifecycle processes. That assumption breaks when the initial proofing step is weak, because access then becomes a cleanly issued credential problem rather than an obvious fraud case.

Practical implication: strengthen identity proofing and employment verification before directory creation, especially where HR, IAM, and onboarding are loosely coupled.

Why behavioural baselines outperform new detection rules

Behavioural security models work by learning what normal identity activity looks like across communication patterns, access use, and execution timing, then flagging deviations without waiting for a named threat. That matters when attacks emerge before the playbook exists, because rule-based systems require humans to author a rule after the fact. In this article, Abnormal AI's point is that the threat surface is already changing faster than signature management. The technical shift is from enumerating bad events to modelling identity behaviour across time, systems, and access context.

Practical implication: pair rules with behaviour baselines so that first-seen identity abuse can still be detected before a new signature exists.

Threat narrative

Attacker objective: The attacker seeks durable, legitimate-looking access that bypasses traditional signature-based detection and enables broader system reach.

1. Entry occurs when an AI agent or synthetic candidate gains a legitimate identity path through normal SaaS or hiring workflows rather than by stealing credentials.
2. Escalation occurs as the identity accumulates additional permissions or directory access that exceed the original scope without triggering a predefined rule.
3. Impact occurs when the identity's expanded access reaches multiple applications or system resources, creating authorised but unintended exposure at scale.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity drift is now a primary attack surface, not a side effect of automation. AI agents that accumulate permissions across SaaS apps and synthetic hires that gain real directory identities both show the same pattern: access is granted through normal processes, then expands beyond the original intent. That means the security problem is not only compromise, but gradual divergence between intended and actual identity scope. Practitioners should treat drift as a first-class governance signal, not an operational nuisance.

Rule-based identity security breaks when the threat has no prior signature. The article is correct that a detection rule cannot fire on a pattern that has never been named, which is why behavioural models matter. A static rule set can only catch what the team already expects, while identity abuse in AI-heavy workflows emerges through new combinations of legitimate actions. The implication is that identity operations must assume first-seen abuse will arrive before policy codification does.

Legitimate directory identity creation is not the same as trusted identity assurance. Synthetic candidates expose a governance gap between onboarding approval and actual identity proofing. Once the directory record exists, downstream systems often treat it as validated, even if the person behind it was never real. That makes the real control failure upstream of access provisioning, and practitioners should rethink where trust is established in the joiner process.

Permission accumulation is an NHI lifecycle problem, even when the actor is an AI agent. The article describes AI agents acquiring access across SaaS environments with no human reviewing scope, which is a lifecycle failure more than a point-in-time abuse event. The named concept here is identity drift: access that remains operationally valid while becoming governance-invalid. Teams should conclude that access review cadence alone cannot keep pace with rapidly expanding machine identity scope.

Behavioral detection is becoming the compensating control for unknown identity abuse patterns. Abnormal's argument reflects a broader shift in IAM and NHI governance: controls that wait for explicit signatures are always late against novel identity behaviour. That does not replace lifecycle controls, but it does change the security baseline. Practitioners should expect identity analytics to absorb more of the first-detection burden while governance catches up.

From our research:

• AI agents have already performed actions beyond their intended scope in 80% of organisations, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap means teams should pair behavioural monitoring with Top 10 NHI Issues and treat identity drift as a governance signal, not just a detection event.

What this signals

Identity drift is the operating condition IAM and NHI teams need to plan for, because access can now expand through ordinary workflows faster than review cycles can react. The practical response is to instrument entitlement growth, lifecycle transitions, and behavioural baselines as one control plane rather than three separate programmes.

Abnormal's framing aligns with a wider shift in non-human identity governance: the most dangerous access paths are increasingly the ones that look legitimate at issuance and only become risky through accumulation. That is why behavioural analytics, lifecycle recertification, and scope monitoring need to be coordinated, not sequenced.

With 48% of companies unable to track and audit the data their AI agents access, the compliance problem is already large enough to affect investigation readiness. Teams that do not bind agent behaviour to access governance will struggle to explain what happened after the fact.

For practitioners

• Track entitlement growth by identity Measure how much access each AI agent, service account, or synthetic user accumulates over time, and flag sudden expansion across SaaS applications as a review trigger.
• Strengthen identity proofing before directory creation Separate candidate validation from account creation so that hiring workflows cannot create production identities until identity assurance checks are complete.
• Baseline identity behaviour across systems Combine behavioural analytics with lifecycle controls so that first-seen identity abuse can be detected even when no signature or rule exists yet.
• Review cross-SaaS write permissions as lifecycle risk Treat write access that spans multiple SaaS platforms as a governance problem, then recertify it against current task scope instead of original approval history.

Key takeaways

• AI agents and synthetic identities can both produce legitimate-looking access paths that drift beyond intended scope before rule-based controls react.
• The scale of the problem is already material, with AI agent behaviour beyond intended scope reported across most organisations.
• IAM, IGA, and NHI teams need behavioural visibility, stronger identity proofing, and tighter lifecycle controls to keep access aligned with intent.

Key terms

• Identity Drift: Identity drift is the gradual mismatch between an identity's approved access and its real operating scope. It happens when permissions expand through normal workflow, inheritance, or repeated approvals until the current state no longer reflects the original intent. In practice, drift is a governance failure, not just an anomaly.
• Permission Creep: Permission creep is the accumulation of privileges beyond what a task or role genuinely requires. For non-human identities, it often happens quietly across applications and services, making the access path look normal until the effective blast radius becomes much larger than the original approval assumed.
• Behavioral Baseline: A behavioral baseline is a model of what normal identity activity looks like over time, including access patterns, timing, and communication habits. It is used to detect deviation when no specific rule or signature exists yet. For AI agents and synthetic identities, it becomes a compensating control for novel abuse.
• Synthetic Identity: A synthetic identity is a fabricated or manipulated identity that appears legitimate enough to pass normal onboarding or verification steps. In IAM contexts, it can receive a directory account, access entitlements, and downstream trust even though the person behind it was never properly established as real.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or IAM programme maturity, it is worth exploring.

This post draws on content published by Abnormal AI: AI agent permission creep and synthetic identity risk. Read the original.