TL;DR: Employee-built agents are already operating inside enterprises with broad access, unclear ownership, and little oversight, and Aizome argues that BYOA creates a governance gap larger than the earlier BYOD problem. The issue is not just more automation but a control model built for static devices facing runtime-adapting actors that reason and act independently.
At a glance
What this is: This is an analysis of bring your own agents, showing that employee-built AI agents are already creating shadow AI exposure across enterprise systems.
Why it matters: It matters because IAM, IGA, PAM, and NHI teams will not close the gap with device-era controls or static policy alone.
👉 Read Aizome's analysis of BYOA and shadow AI agent governance
Context
Bring your own agents, or BYOA, is the pattern where employees create and deploy AI agents outside central security review. These agents connect to ERP, CRM, service desk, cloud storage, external APIs, and other systems, so the primary problem is not AI novelty but uncontrolled identity and access expansion across enterprise workflows.
The governance gap is larger than the old BYOD problem because an agent is not a passive endpoint. It can act autonomously, shift its access pattern by task, and leave an audit trail that is harder to interpret than a device log. That is why existing IAM, NHI governance, and acceptable-use models struggle to keep up.
Key questions
Q: How should security teams govern employee-built AI agents without blocking adoption?
A: Treat employee-built agents as governed identities, not informal productivity tools. Start with automatic discovery, named ownership, and a recorded business purpose, then layer runtime monitoring on top of static entitlements. The goal is not to stop adoption, but to make every agent visible, attributable, and bounded before it can reach sensitive systems.
Q: Why do AI agents create more risk than traditional automation workflows?
A: AI agents create more risk because their access and actions can change at runtime, rather than following a fixed script. That means the security team must govern intent, delegation, and tool use, not just credentials. Traditional automation usually has a stable path; agent behaviour can widen the blast radius as conditions change.
Q: What breaks when agents are reviewed only through entitlement lists?
A: Entitlement-only review misses inherited trust, scope drift, and cross-system reach. An agent may look properly scoped on paper while its real execution path expands through upstream workflows, external APIs, or downstream systems. Governance has to inspect behaviour and delegation, not just the direct account permissions.
Q: Who should be accountable when an employee-built agent causes a security incident?
A: Accountability should sit with the human owner who approved the use case, the system owner that exposed the data or action path, and the security function that defined the control standard. Without a clear ownership chain, the organisation cannot assign containment, review, or remediation responsibilities after the incident.
Technical breakdown
Why BYOA behaves like shadow AI identity sprawl
BYOA creates a population of agents that are deployed by business users, not security teams, and that often never enter inventory or review processes. Each agent has an identity, upstream data sources, downstream tools, and a human owner, but those pieces are usually assembled informally. The result is not just shadow IT, but shadow AI identity sprawl: access paths appear faster than governance can classify them. That matters because every untracked agent becomes a standing trust relationship with enterprise data and systems.
Practical implication: security teams need continuous discovery for agents, not self-registration or periodic spreadsheets.
Why static policy fails for autonomous agents
Static policy works when behavior is stable enough to describe at provisioning time. BYOA agents break that assumption because their access can change with the workflow, the prompt, the tool chain, and the context of execution. A policy may say the agent can read one dataset, but runtime behavior may expand into correlated systems, APIs, and follow-on actions. That makes permission checks necessary but insufficient, because the risk lives in how the agent behaves after access is granted.
Practical implication: teams should pair permission controls with runtime behavioural baselines and action-level enforcement.
The inherited trust problem in agent chains
One of the most important BYOA failure modes is inherited trust, where an agent operates within its own permissions but receives effective authority from upstream agents or human workflows. In that chain, the individual entitlement set may look reasonable while the combined execution path is not. This is why agent governance cannot stop at named owner and approved credentials. The real question is whether the delegation chain expands the agent's practical reach beyond what any single review would show.
Practical implication: map agent-to-agent and human-to-agent delegation paths before treating access as approved.
Threat narrative
Attacker objective: The objective is to gain unaudited functional access to enterprise data and systems through an agent that looks like productivity tooling rather than a governed identity.
- Entry occurs when an employee creates an agent that connects to internal systems without security review, inventory entry, or documented ownership.
- Escalation occurs when the agent's workflow expands into additional data sources, APIs, and downstream systems beyond the original task scope.
- Impact occurs when the agent's broad runtime access enables unaudited data movement, operational mistakes, or unintended action across business systems.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
BYOA is not a tooling problem. It is a governance model failure. Security teams are treating employee-built agents as if they were just another automation layer, but the article shows that the real issue is uncontrolled identity creation at the edge of the business. When a finance, sales, or IT team can stand up an agent with enterprise access in an afternoon, central governance has already lost the first decision point. The practical conclusion is that agent governance must begin at creation, not at audit.
Static policy was designed for stable permissions, not adaptive execution. That assumption fails when the actor is an AI agent because access paths change with each task, tool call, and runtime context. The implication is not just better policy, but a rethink of how authority is expressed for agents that can reason and act outside predefined human pacing.
Identity blast radius is the right concept for BYOA. The article's strongest contribution is showing that the risk is not a single compromised agent, but the widening functional reach created by broad read access, broad write access, and inherited trust across multiple systems. Once that blast radius exists, the question becomes whether the organisation can even prove where the agent acted. Practitioners should treat agent blast radius as a first-class governance object.
The inherited trust failure mode is more dangerous than simple over-privilege. The article highlights that an agent can appear correctly scoped while still inheriting authority from upstream workflows or other agents. That means review processes focused only on the direct entitlement set will miss the true exposure. The practitioner lesson is that delegation chains, not just entitlements, are what need governance.
BYOA makes NHI governance a business-unit problem, not just a security-team problem. When agents are built in departments to solve local work, the control plane has to span ownership, accountability, and runtime oversight across the whole organisation. That is a lifecycle issue as much as an access issue. The field should expect agent governance to merge with NHI lifecycle discipline faster than most programmes are ready for.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
- That confidence gap reinforces why lifecycle-aware discovery matters, and why practitioners should also review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for operational controls.
What this signals
Shadow AI agent governance will become a visibility problem before it becomes a policy problem. The first indicator of maturity is not an elegant framework but the ability to find agents that are already in use. With 1.5 out of 10 organisations highly confident in securing NHIs according to our research, the gap is already wide enough to expect untracked agent populations in most enterprises.
Identity programmes need a control model that covers creation, delegation, and runtime drift together. BYOA will keep exposing the limits of perimeter thinking because the real risk is not just access, but how access expands after deployment. Practitioners should align agent governance with the Ultimate Guide to NHIs and with runtime policy concepts from the OWASP Top 10 for Agentic Applications 2026.
For practitioners
- Inventory every employee-built agent automatically Discover agents through connected systems, execution logs, and identity telemetry rather than waiting for teams to self-report them. Require a named owner, a business purpose, and a system-of-record entry before the agent is treated as approved.
- Map delegation chains before granting operational trust Trace how an agent receives data, tools, and authority from humans or other agents, then identify where inherited trust expands the effective access path. Review the chain end to end, not just the direct credential or service account.
- Set behavioural baselines for runtime review Record what each agent normally accesses, which tools it invokes, and which workflows it executes, then alert when those patterns change. A static entitlement list will miss scope creep after deployment.
- Enforce intent-layer controls for sensitive actions Validate high-risk agent actions at runtime against the declared task and approved data boundary, especially where write access, external API calls, or cross-system updates are involved. Do not rely on initial permission checks alone.
Key takeaways
- BYOA turns employee-built agents into governed identities, and unmanaged identity creation is the core security failure.
- The exposure is not theoretical: visibility gaps, inherited trust, and runtime scope drift make agent risk hard to detect with static controls.
- Practitioners need automatic discovery, delegation mapping, and runtime enforcement if they want agent adoption without losing control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article centers on agent autonomy, tool use, and runtime scope drift. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | BYOA exposes unmanaged non-human identities and weak lifecycle control. |
| NIST CSF 2.0 | PR.AA-1 | Identity and access management must cover agent identity creation and authority. |
Apply agentic controls to discover agents, constrain tools, and monitor runtime behaviour.
Key terms
- Bring Your Own Agents (BYOA): A pattern where employees build and deploy AI agents outside central security review. These agents often connect directly to enterprise systems, creating identity, access, and accountability issues that look like shadow IT but behave more like shadow AI.
- Shadow AI: AI systems or agents operating in an environment without formal approval, inventory, or oversight. In practice, shadow AI creates hidden data access paths, unclear ownership, and governance blind spots that security teams may not detect until the behaviour causes impact.
- Inherited Trust: Access or authority an agent effectively receives from a surrounding workflow, upstream agent, or human process rather than from its own direct permissions. This can make the agent appear properly scoped while its real operational reach is broader than the entitlement record suggests.
- Identity Blast Radius: The practical scope of harm an identity can cause if it is misused, compromised, or overextended. For agents, blast radius is shaped not only by permissions but by delegated workflows, connected systems, and the ability to act repeatedly without immediate human review.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Aizome: Meet BYOA, the shadow AI agent problem that makes BYOD look simple. Read the original.
Published by the NHIMG editorial team on 2026-05-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
