By NHI Mgmt Group Editorial TeamPublished 2026-02-05Domain: CybersecuritySource: Knostic

TL;DR: AI coding agents are moving beyond developer workflows into broader knowledge work, with MCP servers, IDE extensions, and skill configurations creating new exposure points for command execution, data access, and supply chain dependence, according to Knostic. The governance gap is now less about whether these tools are useful and more about whether organisations can discover, monitor, and contain them before they touch production systems.


At a glance

What this is: Knostic argues that AI coding agents are spreading into everyday work and introducing fragile new control surfaces across MCP servers, IDE extensions, and agent configurations.

Why it matters: That matters because IAM, PAM, and NHI programmes now have to govern tool-using software that can act across code, services, and external systems without waiting for business approval.

👉 Read Knostic's analysis of OpenClaw detection and telemetry for AI coding agents


Context

AI coding agents are becoming part of the enterprise attack surface because they can execute commands, access codebases, and connect to external services. The governance problem is not simply adoption, but unmanaged adoption across endpoints, repositories, and agent integrations where security teams may have little visibility.

In this domain, the identity question is not only who signs in, but what non-human entity is allowed to act, connect, and persist. MCP servers, rule files, and skill configurations behave like control points for agent behaviour, which makes them relevant to both NHI governance and broader application security.

The article frames this as a supply chain and control-plane problem rather than a productivity story, which is the typical starting position for enterprise deployments that move faster than security review.


Key questions

Q: How should security teams govern AI coding agents that can access tools and services?

A: Security teams should treat AI coding agents as governed software entities with explicit tool permissions, lifecycle logging, and named ownership. The key is to control the agent runtime, not just the user session. That means defining approved MCP servers, reviewing IDE extensions, and recording tool use so actions can be reconstructed during investigation.

Q: What breaks when AI agents are deployed without discovery controls?

A: Without discovery controls, organisations cannot tell whether an agent is approved, duplicated, or hiding in an unmanaged endpoint path. That breaks inventory accuracy, policy enforcement, and incident response. It also creates shadow access paths through binaries, configs, and services that security teams may never map into their existing control frameworks.

Q: How do security teams know whether agent telemetry is actually working?

A: Telemetry is working when it captures tool calls, lifecycle events, and message traces in a way that supports investigation and correlation. If logs omit tool execution or are easy to alter, the control has failed. Durable output with redaction and forwarding to monitoring systems is the practical test.

Q: Who should own risk when an AI coding agent is used across teams?

A: Ownership should sit with the team that approves the agent’s deployment and defines its scope, because the risk is created by runtime access and inherited trust. Where agents touch code, secrets, or connected services, ownership should also include IAM, endpoint security, and application security stakeholders.


Technical breakdown

MCP servers and agent extensions create a new control plane

MCP servers and IDE extensions extend an agent’s reach beyond the local model into tools, data sources, and execution contexts. That makes them part of the operational control plane, not just user-facing features. If an agent can invoke commands, read files, or call external services, then the security boundary moves from the model prompt to the tool interface and its policy layer. The practical risk is that seemingly minor configuration files can define high-impact access paths that are hard to inventory and easy to inherit.

Practical implication: Treat MCP definitions and extension permissions as governed assets, not convenience settings.

Agent lifecycle telemetry is the difference between visibility and guesswork

Agent lifecycle telemetry captures what the agent did, which tools it used, and how its actions evolved over time. In practice, this is the closest analogue to a behavioural audit trail for software that can make its own runtime choices. Without that telemetry, security teams may know an agent exists but not whether it accessed sensitive files, escalated through chained tool calls, or interacted with external systems in ways that matter for incident response.

Practical implication: Require durable logs for tool calls, message events, and sensitive-data redaction before allowing agent use in production.

Discovery must cover binaries, configs, and hidden deployment surfaces

Agent discovery is broader than finding a single installed application. The article points to CLI binaries, app bundles, config files, gateway services, and container artifacts across operating systems, which reflects how software agents often spread through multiple deployment paths. This matters because unmanaged installations can bypass approval processes and create shadow control planes that security teams do not map into CMDBs, EDR policies, or access reviews.

Practical implication: Scan endpoints and build systems for agent footprints, not just approved software inventories.


Threat narrative

Attacker objective: The attacker objective is to leverage trusted agent tooling as a pathway into code, data, or connected services while avoiding traditional review gates.

  1. Entry occurs when an AI coding agent is installed through an individual workflow such as an IDE extension, CLI binary, or unapproved configuration path.
  2. Escalation follows when the agent inherits access to code, commands, or external services through MCP definitions, rule files, or skill configurations.
  3. Impact emerges when the agent can modify code, connect to downstream systems, or trigger actions that create supply chain, data loss, or operational disruption risk.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

AI coding agents are becoming a supply chain governance problem before they become a platform standard. The article shows that adoption is already happening through individual developer and knowledge-worker behaviour, which is exactly how shadow tooling becomes operational. Once these agents can reach code, commands, and external services, security teams need policy at the tool boundary, not just at user sign-in. Practitioner conclusion: inventory and govern agent entry points before usage normalises.

Agent lifecycle telemetry is now a control requirement, not a monitoring luxury. Tool calls, message events, and execution traces create the evidence needed to distinguish benign automation from risky cross-system behaviour. That is especially important when agents interact with MCP servers and other extensions that widen their privilege surface. Practitioner conclusion: if you cannot reconstruct agent actions, you cannot govern them.

Named concept: shadow agent supply chain. This is the expanding set of unapproved binaries, extensions, configs, and service hooks that let AI agents enter the enterprise outside formal review. It is a supply chain issue because the trust relationship is inherited through software components, not granted through an explicit access decision. Practitioner conclusion: map these dependencies into NHI and software governance processes together.

Identity governance now has to account for software entities that behave like users but deploy like tooling. That means the control model has to bridge NHI thinking, endpoint visibility, and application-level policy enforcement. The article’s emphasis on OpenClaw-specific discovery and telemetry shows how quickly agent governance becomes an integration problem across security disciplines. Practitioner conclusion: align IAM, PAM, and application security around the agent runtime, not only the login event.

What this signals

Shadow agent supply chain: security teams should now expect unapproved AI tooling to arrive through developer workflows, browser-integrated assistants, and endpoint-side extensions rather than central procurement. That changes the detection problem from simple software inventory to governance over emergent non-human activity across the estate.

The practical response is to extend NHI-style thinking into the agent runtime, where tool permissions, lifecycle events, and execution traces become the evidence needed for control. For broader context on agentic AI risks, see the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework.

If organisations cannot see which agents are present, what they can invoke, and where their outputs flow, they will not be able to separate productivity gain from supply chain exposure. That is the programme-level signal: agent governance needs asset discovery, policy enforcement, and security telemetry to move together.


For practitioners

  • Inventory all agent entry points Scan managed devices and build environments for CLI binaries, app bundles, gateway services, config files, and container artifacts associated with coding agents and their extensions.
  • Govern MCP and extension permissions Review every MCP server definition, IDE extension, rule file, and skill configuration as a policy object with explicit approval, scope, and ownership.
  • Require behavioural telemetry for agents Collect tool-call logs, message events, and lifecycle traces with sensitive-data redaction and tamper-resistant storage so security teams can investigate agent actions later.
  • Route agent detections into existing security operations Forward JSONL or equivalent agent telemetry into SIEM workflows and incident playbooks so anomalous agent behaviour is visible alongside endpoint and identity alerts.
  • Separate approved from shadow deployments Maintain an authoritative inventory of sanctioned agent deployments and compare it against endpoint scans and repository checks to identify unmanaged use quickly.

Key takeaways

  • AI coding agents are no longer just developer productivity tools. They are becoming governed supply chain components with direct access to code, commands, and external services.
  • The control gap is visibility and containment, not awareness.** Discovery of binaries, configs, extensions, and telemetry is what turns agent use from shadow adoption into manageable risk.
  • Security teams should govern the agent runtime as a non-human identity problem.** Approval, scope, logging, and integration into SIEM and access review workflows are the practical controls that matter.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on agent tool misuse and unmanaged agent deployments.
NIST AI RMFGOVERNGovernance is required for approval, ownership, and accountability of agent deployments.
NIST CSF 2.0PR.AC-4The article concerns access permissions and control of agent tool reach.
NIST SP 800-53 Rev 5AU-2Telemetry and event logging are central to detecting and investigating agent actions.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe threat pattern includes abuse of trusted tooling to reach code and connected services.

Map agent abuse paths to credential access and lateral movement to prioritise detection and containment.


Key terms

  • MCP Server: An MCP server is a tool-connection layer that lets an AI agent reach external data sources and actions through a standard interface. In practice, it becomes part of the trust boundary because policy, permissions, and observability determine what the agent can do once connected.
  • Agent Lifecycle Telemetry: Agent lifecycle telemetry is the record of what an AI agent did, when it did it, and which tools or messages were involved. It is essential for investigation and governance because it turns opaque agent behaviour into evidence that can be reviewed, correlated, and controlled.
  • Shadow Agent: A shadow agent is an AI agent or assistant running in an environment without formal approval, inventory, or oversight. These deployments often appear through personal workflow adoption, which makes them difficult to see until they touch sensitive data or connected systems.
  • Skill Configuration: A skill configuration is a file or settings layer that tells an AI agent how to behave, what tools to use, or what tasks it may perform. Because these configurations can extend privilege and alter execution paths, they should be governed as security-relevant code.

What's in the full article

Knostic's full research covers the operational detail this post intentionally leaves for the source:

  • OpenClaw-specific detection logic for managed devices, including binaries, bundles, gateway services, and Docker artifacts.
  • Telemetry design details for tool calls, lifecycle events, message events, and redaction in JSONL output.
  • Implementation notes for forwarding logs into SIEM workflows and existing response playbooks.
  • Deployment guidance for MDM platforms such as Intune, Jamf, JumpCloud, Kandji, and Workspace ONE.

👉 Knostic's full post covers discovery, telemetry, and deployment detail for OpenClaw environments.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and agentic AI identity. It is designed for practitioners building operating models for identity, access, and control across human and non-human systems.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org