AI identity security risks: privilege creep, prompt injection, token theft

At a glance

What this is: This article examines three core AI identity security risks: privilege accumulation, prompt injection, and token theft.

Why it matters: It matters because IAM, NHI, and PAM teams now need controls that address dynamic agent behaviour, not just static credentials and human-centric access reviews.

👉 Read Unosecur's analysis of the three big AI identity security risks

Context

AI identity security is the problem of governing software actors that can hold credentials, call tools, and act on delegated access. The article argues that existing security models were never built for AI agents, service accounts, and API tokens that now sit inside operational workflows and can expand their own access over time.

The governance gap is not only about secrets leakage. It is also about how least privilege, approval, and accountability break down when an AI system can accumulate permissions, be manipulated through prompt injection, or be impersonated through stolen tokens. That makes AI identity security a cross-cutting issue for NHI, IAM, and PAM programmes.

Key questions

Q: How should security teams govern AI agents that hold credentials?

A: Treat them as governed non-human identities with owners, scopes, and lifecycles. Define who can grant access, what tools the agent may use, how long credentials remain valid, and what triggers revocation. Without that structure, agents accumulate privileges faster than access reviews can track them.

Q: Why do AI agents complicate least privilege?

A: Because their access often changes during runtime. An agent may start with narrow rights, then gain new permissions as it encounters obstacles or new tasks. That makes least privilege a moving target unless entitlement growth, token issuance, and tool scope are continuously controlled.

Q: What breaks when prompt injection reaches an AI agent with tools?

A: The boundary between input and action breaks. A malicious prompt can cause the agent to reveal data, call APIs, or follow instructions that the human operator never approved. The risk is greatest when the agent can act on privileged systems without a second control layer.

Q: How do you know if AI token controls are actually working?

A: You should be able to prove that tokens are short-lived, rotated, owner-linked, and quickly revoked after exposure. If tokens still appear in logs, code, prompts, or unused integrations, the control is not working well enough to stop impersonation risk.

Technical breakdown

Privilege accumulation in AI agents

Privilege accumulation happens when an AI agent receives new rights as it takes on new tasks, but old rights are never removed. Unlike a human role change, the agent may keep operating continuously and can even create fresh credentials when blocked. That produces permission sprawl, where access grows across cloud, data, and operational systems without a clean lifecycle boundary. The technical risk is not just excess access. It is that the identity becomes harder to reason about because the permission set changes during runtime rather than at a fixed provisioning point.

Practical implication: map and review AI agent entitlements as living identities, not as one-time provisioning events.

Prompt injection and delegated action abuse

Prompt injection works by feeding an AI system text that changes its behaviour, usually by overriding instructions or causing it to reveal data and act outside its intended purpose. In agentic workflows, the problem becomes identity-related because the model is not just generating text. It is operating with delegated privileges attached to tools, APIs, or data sources. A successful injection can therefore turn a legitimate identity into an unwitting executor of attacker intent. That is why prompt safety and access control must be treated as linked controls, not separate issues.

Practical implication: constrain what an AI agent can do after instruction tampering, not only what it can read.

Token theft and identity impersonation

Token theft remains one of the most direct ways to compromise AI-powered systems because an exposed token is often accepted as proof of identity. If API keys, bearer tokens, or session credentials are logged, hardcoded, or intercepted in transit, an attacker can impersonate the agent or the user it represents. The article correctly frames this as a credential problem, not an AI-only problem. Once a token is valid, downstream systems usually cannot tell whether the requests came from a legitimate workflow or a stolen identity.

Practical implication: reduce token lifespan, remove hardcoded secrets, and treat every exposed credential as a full identity compromise.

Threat narrative

Attacker objective: The attacker wants to turn delegated AI access into unauthorised control, data access, or identity impersonation across connected systems.

1. Entry occurs when an attacker reaches the AI workflow through a malicious prompt, exposed token, or insecurely stored secret.
2. Escalation occurs when the AI agent expands its own privileges, follows injected instructions, or reuses valid credentials across connected systems.
3. Impact occurs when the attacker gains impersonation, data exposure, or destructive action through the agent's delegated access.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI identity security is now a governance problem, not just an application risk. Once AI agents hold credentials and act on behalf of users or services, the issue moves from model behaviour into IAM, PAM, and lifecycle control. The article is right to group privilege accumulation, prompt injection, and token theft because they all exploit the same weakness: identity decisions made for software that behaves more like an actor than a script. Practitioners should treat AI access as governed identity, not experimental automation.

Privilege accumulation is the clearest example of AI-driven identity drift. The article describes a pattern that looks like human privilege creep but moves faster because agents work continuously and can request or generate new access when blocked. That is a named failure mode in NHI governance: permission sprawl without lifecycle offboarding. The implication is that access review cadences built for stable identities will lag behind agent behaviour unless entitlement growth is controlled as a runtime event.

Prompt injection collapses the boundary between instruction and authorisation. The article shows that a malicious prompt can turn a legitimate agent into an attacker-controlled workflow. That means the governance assumption that the identity only acts on trusted intent no longer holds. The practical conclusion for the field is that agentic systems need explicit separation between what the model can be told and what the identity is allowed to execute.

Token theft remains the most familiar risk, but the blast radius is wider in AI systems. A stolen key is not just a secret leak. It is a live impersonation path into the systems the agent can reach, often without any visible model interaction at all. This reinforces why NHI governance must include storage, transport, revocation, and ownership of tokens that power AI workflows. Practitioners should align AI identity controls with established NHI lifecycle discipline.

Named concept: identity permission sprawl. This article describes how AI agents can accumulate, generate, and retain access across tasks until nobody can reconstruct the true entitlement set. That is broader than privilege creep because the identity may also create new credentials mid-flow. The field should recognise this as a governance boundary problem, not a tuning issue. Practitioners need a way to account for the full access footprint of the agent at any point in time.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means many teams still cannot see the identities they are expected to govern.
• That visibility gap points to the next control question in 52 NHI Breaches Analysis, where incident patterns show how hidden identities turn into breach paths.

What this signals

Identity permission sprawl: AI programmes should expect access to expand unless they actively constrain entitlement growth, credential issuance, and tool scope. If your inventory cannot answer who owns each agent and what it can reach today, your governance model is already behind the runtime reality.

The practical next step is to align AI workflows with NHI lifecycle discipline and Zero Trust access boundaries, using established patterns such as Ultimate Guide to NHIs and the OWASP Top 10 for Agentic Applications 2026. The programme signal to watch is whether access can be proven, revoked, and reissued without relying on human memory or manual cleanup.

If token theft, prompt injection, and privilege accumulation are all on the table, AI identity must be managed as a combined governance surface, not a set of disconnected security tasks. Teams that separate secrets management, IAM, and AI operations will miss the cross-control failure mode that attackers exploit.

For practitioners

• Inventory AI identities as first-class subjects Create a registry of agents, API keys, tokens, and service accounts tied to AI workflows. Record owners, systems reached, credential types, and revocation paths so each identity has an accountable lifecycle.
• Separate model prompts from execution authority Limit what an agent can be asked to do and independently cap what it can execute. Use tool allowlists, scope filters, and approval gates for high-risk actions even when the prompt appears legitimate.
• Eliminate long-lived and hardcoded secrets Replace embedded API keys and static credentials with short-lived tokens, vault-backed issuance, and automated rotation. Treat logs, prompts, and outputs as possible secret exposure paths.
• Monitor entitlement growth as a drift signal Track when agent permissions expand across projects, retries, or fallback behaviour. Alert on new rights, new token creation, or access that outlives the original task window.
• Build revocation into AI offboarding When an agent, workflow, or integration is retired, revoke its tokens, certificates, and delegated scopes immediately. Offboarding should remove the agent's ability to act, not just hide it from inventory.

Key takeaways

• AI agents create identity risk because they can accumulate access, act on hostile prompts, and be impersonated through stolen tokens.
• The scale problem is governance, not just technology, because dynamic behaviour makes static access review and credential assumptions unreliable.
• Practitioners should govern AI identities with the same lifecycle discipline used for other high-risk NHIs, while adding runtime controls for instruction abuse and token exposure.

Key terms

• Privilege Accumulation: Privilege accumulation is the gradual expansion of access rights over time until an identity holds more capability than its original task requires. For AI agents, this often happens during repeated task changes, fallback behaviour, or ad hoc permission grants, making entitlement drift harder to spot than in human accounts.
• Prompt Injection: Prompt injection is an attack that uses crafted input to change how an AI system behaves. In agentic environments, the problem becomes more serious because the model may not just generate text, but also trigger tool actions, access data, or execute workflows under delegated identity.
• Token Theft: Token theft is the compromise of API keys, bearer tokens, or other secrets that prove an identity to a system. When those credentials belong to an AI workflow, the attacker can impersonate the agent or the user it represents and bypass normal authentication controls.
• Identity Permission Sprawl: Identity permission sprawl is the condition where an AI identity keeps gaining permissions, tokens, or adjacent accounts until the true access footprint becomes unclear. It is a governance failure as much as a security issue, because the organisation loses a reliable boundary around what the identity can do.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of how privilege accumulation shows up in AI DevOps, support, and data workflows.
• Examples of prompt injection paths that can push an agent to reveal data or misuse connected tools.
• Practical token theft scenarios involving logs, prompts, hardcoded keys, and intercepted API traffic.
• FAQ guidance on orphaned agents, static credentials, and automated authentication workflows.

👉 Unosecur's full post expands the threat patterns behind privilege accumulation, prompt injection, and token theft.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.