AI agents are multiplying NHI sprawl and access risk

At a glance

What this is: This analysis argues that AI agents are multiplying NHI sprawl, widening sensitive access, and making ownership and lifecycle governance harder to prove.

Why it matters: It matters because IAM, PAM, and identity governance teams need to manage AI agents, service accounts, and human access as one control problem when access footprints expand.

By the numbers:

• 1:100.
• Organizations currently exhibit a 1:40 human-to-NHI ratio.

👉 Read Astrix Security's analysis of AI agent identity risk and NHI sprawl

Context

AI agent identity risk is emerging because the actor is no longer a simple script with fixed access. The article frames AI agents as systems that can make autonomous, nondeterministic decisions, request access dynamically, and accumulate multiple non-human identities across business systems, cloud services, and data platforms.

For IAM and NHI programmes, that changes the control problem from managing one identity at a time to governing an access footprint that can span many identities and many owners. Once the access chain becomes opaque, approval, review, rotation, and offboarding all become harder to trust at face value.

Key questions

Q: How should security teams govern AI agents that rely on multiple non-human identities?

A: Treat the agent and its linked identities as one access graph. Security teams should inventory every credential, app registration, token, and service account the agent can use, then govern ownership, approvals, logging, and offboarding at that composite level. If one link is unmanaged, the effective privilege of the whole agent is unmanaged too.

Q: Why do AI agents increase non-human identity risk in enterprises?

A: AI agents increase risk because they often need broader cross-system access than a single workload or script, and they can accumulate several identities to do that work. The result is more privilege, more ownership ambiguity, and more opportunities for abuse if the agent’s access is not tightly scoped and continuously monitored.

Q: What breaks when AI-associated NHIs are treated like ordinary automation?

A: Visibility and accountability break first. Ordinary automation is usually predictable and easier to review, but AI agents can make nondeterministic decisions and request access dynamically. That means static assumptions about scope, timing, and approval are too weak, and teams can miss the real exposure created by the full identity chain.

Q: How can organisations detect living-off-the-land attacks against AI identities?

A: Focus on behavioural anomalies rather than tool signatures alone. Build baselines for normal agent destinations, frequency, and write activity, then alert when an AI-associated NHI starts moving laterally, accessing unusual systems, or producing activity that does not match its declared purpose.

Technical breakdown

How multi-NHI AI agents expand the access graph

The article describes AI agents as consumers of several NHIs rather than one. A chatbot may rely on OAuth apps, API keys, and webhooks, while a computer agent can use user service accounts, local passwords, and session tokens. That matters because the agent’s effective privilege is the sum of all identities and permissions in its chain, not the scope of any one credential. Traditional inventory methods that examine identities in isolation can miss the compound access path that the agent can exercise across platforms.

Practical implication: model AI access as an aggregate entitlement graph, not a list of standalone credentials.

Sensitive permissions sprawl in agentic workflows

The article argues that autonomous AI agents are likely to inherit permissions that were previously reserved for a small number of administrators or service accounts. That creates a wider sensitive-permissions perimeter because access is no longer tied only to human operator roles. The governance issue is not just that permissions increase, but that the boundary between ordinary automation and high-risk administrative access becomes less visible. In practice, teams need to know where write, admin, and cross-system actions are being delegated into agent workflows.

Practical implication: review every AI workflow that touches administrative actions and classify it as high-risk access.

Living off the land through AI-associated NHIs

The article highlights a living-off-the-land pattern where attackers exploit legitimate identities rather than bringing obvious malware tooling. If an AI-associated NHI is compromised, an attacker can blend into normal agent traffic, reuse existing permissions, and move laterally while appearing to behave like the system itself. That creates a detection problem as much as an access problem, because high-frequency agent activity can mask abuse. The technical lesson is that identity context, behaviour baselines, and log fidelity become the primary defensive signals.

Practical implication: build detections around abnormal agent behaviour, not only around known-bad tools or signatures.

Threat narrative

Attacker objective: The objective is to hide inside legitimate AI-driven identity activity long enough to expand access, move laterally, and sustain undetected malicious operations.

1. Entry occurs when an attacker compromises or abuses an AI-associated NHI such as an API key, OAuth application, or service account used by an agent. Credential access is especially dangerous because the article shows these identities often sit behind legitimate workflows and can look routine.
2. Escalation happens when the attacker reuses the agent's combined permissions to operate across multiple platforms, making the activity resemble normal AI behaviour while expanding reach into adjacent systems.
3. Impact follows through sustained access, lateral movement, and prolonged dwell time, allowing the attacker to gather sensitive information and execute malicious actions while remaining hidden in background agent traffic.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agents turn NHI governance from a credential problem into an identity-graph problem. The article shows that an agent may depend on many NHIs across SaaS, cloud, email, and database systems, which means security teams can no longer assess exposure by looking at a single secret or token in isolation. The access decision must be made against the full chain of delegated identities, because that is where the real blast radius lives. Practitioners should treat agent access as a composite entitlement structure, not a point credential.

Living-off-the-land abuse becomes more plausible when AI traffic is treated as normal background noise. The article’s threat model is not about exotic malware, but about attackers hiding inside legitimate agent activity and reusing already-authorized identities. That shifts the governance burden toward behavioural detection, ownership clarity, and traceability across each identity used by the agent. Security teams should assume that high-frequency machine behaviour can mask compromise unless the programme is designed to separate routine agent actions from anomalous ones.

Ownership clarity is the control gap this pattern exposes. The article shows that employees can create agents and grant broad access without strong identity-management expertise, leaving multiple NHIs with unclear association to a single agent. That means the real failure is not only excess privilege, but also uncertain accountability across creation, approval, and retirement. Practitioners should treat unclear ownership as a governance defect in its own right, because offboarding and recertification fail when no one can prove who owns the agent’s access footprint.

Multi-NHI sprawl is becoming the new baseline for agentic environments. The article’s 1:40 human-to-NHI ratio and projected growth path show that AI adoption can sharply inflate machine identity volume. That changes how programmes measure maturity, because visibility, inventory, and decommissioning must scale faster than the agent fleet itself. The implication is that identity teams need to plan for a world where per-identity governance is no longer operationally sufficient without automated lifecycle controls.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• That is why teams should pair inventory discipline with 52 NHI Breaches Analysis when they need failure-pattern context and root-cause examples.

What this signals

Multi-NHI sprawl will force identity teams to move from account-centric control to graph-centric governance. The practical shift is from asking whether a secret exists to asking whether the full chain of identities behind an agent is visible, owned, and revocable. With only 5.7% of organisations reporting full visibility into service accounts, the default posture is still far from ready for agentic access expansion.

The next maturity jump is not just more logging. Teams need lifecycle telemetry that ties each agent to a named owner, a usage window, and a revocation path, or the review process will continue to certify identities that no one can confidently explain.

Identity blast radius: the effective scope of damage created by the full set of identities an AI agent can invoke, not by any single credential. As agent adoption grows, blast-radius management will matter more than isolated secret controls, especially where access crosses SaaS, cloud, and data platforms.

For practitioners

• Inventory every identity attached to each AI agent Map each agent to its OAuth apps, API keys, service accounts, session tokens, and webhooks so the full access chain is visible in one record.
• Separate administrative access from routine agent access Classify any agent that can write, administer, or cross systems as high-risk and subject it to stronger approvals, logging, and review than ordinary automation.
• Tie agent creation to explicit ownership and offboarding Require a named owner, expected usage timeframe, and decommission trigger for every AI-related NHI so the identity can be revoked when the task ends.
• Baseline normal agent behaviour and alert on deviation Use behavioural baselines for AI-associated NHIs and alert when access patterns, volume, or destination systems diverge from established norms.
• Reduce standing sensitive permissions in agent workflows Restrict write and administrative privileges to the smallest task-scoped set possible and avoid granting broad platform access by default.

Key takeaways

• AI agents do not just consume NHIs, they aggregate them into broader access structures that are harder to govern one credential at a time.
• The biggest risk is not only more identities, but unclear ownership, hidden privilege, and malicious behaviour that blends into normal agent traffic.
• Programmes that cannot inventory, baseline, and offboard agent-linked identities will struggle to control the access footprint those agents create.

Key terms

• AI-associated NHI: A non-human identity used by an AI system to access tools, data, or services. In practice this can include OAuth apps, API keys, service accounts, tokens, and webhooks. The security challenge is that the agent may combine several identities into one effective access path.
• Multi-NHI agent: An AI agent that depends on multiple non-human identities to complete its tasks. The risk is not any one credential in isolation, but the combined privilege, ownership ambiguity, and lifecycle complexity created when several identities are chained together for one runtime.
• Living off the land: An attack pattern where an adversary uses legitimate identities, tools, and permissions already present in the environment. For AI-linked identities, this can make malicious activity look like ordinary agent behaviour, which raises the importance of behavioural baselines and traceable ownership.

What's in the full article

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• Category-by-category breakdown of AI systems and the specific NHIs they use across chatbots, RAG, cloud models, and browser agents
• Operational examples of provisioning, visibility, and posture controls for AI-linked NHIs in enterprise environments
• The article's discussion of living-off-the-land attack paths and why they are difficult to distinguish from normal agent behaviour
• Practical recommendations for baselining, monitoring, and automated response around AI-associated identities

👉 The full Astrix Security article covers AI categories, attack paths, and recommended controls for AI-associated NHIs

Deepen your knowledge

AI agent identity risk and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for multi-identity agent workflows, it is worth exploring.