CIS Controls assume a human actor, and autonomous systems break that

At a glance

What this is: This analysis argues that CIS Controls are built on a human-actor assumption that breaks when infrastructure is operated by autonomous AI entities.

Why it matters: It matters because IAM, PAM, and lifecycle teams will need to govern machine-speed account creation, access, and change attribution without relying on human review cadences.

👉 Read Netwrix's analysis of CIS Controls in autonomous environments

Context

CIS Controls work because they assume a person can be identified behind each account, change, and access grant. That assumption becomes fragile when an autonomous AI-operated entity can create and retire identities, request access, and modify infrastructure without a stable human operator in the loop.

The governance problem is not just faster automation. It is that access review, account ownership, and configuration baselines all depend on a predictable actor and a stable expected state. When the actor can decide, act, and adapt continuously, the control model has to be judged against identity behaviour rather than human workflow.

For lifecycle and control mapping, the relevant baseline is the NHI lifecycle model in the NHI Lifecycle Management Guide. It is the right reference point for provisioning, rotation, and offboarding discussions that now apply to machine identities and autonomous actors alike.

Key questions

Q: What breaks when CIS Controls are applied to autonomous AI-operated entities?

A: The control model starts to fail when it assumes a stable human principal behind every account, change, and access decision. Autonomous entities can create identities, alter infrastructure, and retire access faster than periodic review cycles can capture, so accountability becomes time-sensitive rather than person-centric.

Q: Why do autonomous systems complicate change management and account control?

A: They complicate both because they can generate legitimate change without a human-style approval path and can make that change faster than traditional governance can observe. That means inventory, ownership, and review all need to operate at the speed of the actor, not the speed of the committee.

Q: What do security teams get wrong about baseline monitoring for autonomous workloads?

A: They often treat the baseline as a fixed known-good state, when autonomous systems may legitimately self-modify as part of their operating model. The better test is whether the change fits declared behaviour and whether the decision path can still be reconstructed after the fact.

Q: Who is accountable when an autonomous corporate actor changes infrastructure or access?

A: Accountability becomes a governance problem, not just a technical one, because the change may be authorized by an automated process rather than a human. Teams need evidence of decision provenance, identity ownership, and execution context so liability and control can still be traced.

Technical breakdown

Account management breaks when identities are generated and retired at machine speed

CIS Control 5 relies on the idea that accounts are bounded, reviewable, and traceable to a human owner. In an autonomous environment, a system can create ephemeral service accounts, use them briefly, and dispose of them before an audit cycle notices. That changes account management from inventory and recertification to real-time governance of identity events. The technical issue is not just volume. It is that the account lifecycle becomes shorter than the control cycle, which makes conventional ownership and approval models lossy.

Practical implication: redefine account ownership and review logic for ephemeral identities, not just long-lived service accounts.

Access control loses meaning when role is not stable at provisioning time

Control 6 assumes access is granted to a role that can be described before execution. Autonomous actors can decide what tools, data, or permissions they need at runtime, then release them after the task is complete. That turns least privilege into a moving target because intent is not fully knowable in advance. Periodic access review also becomes weaker when the access existed only for a short decision window. The problem is not that access control disappears. It is that the timing of authorization no longer matches the timing assumed by role-based governance.

Practical implication: treat runtime authorization as a first-class control requirement for autonomous actors.

Malware and change controls blur when the actor can rewrite its own operating stack

Control 10 depends on a distinction between authorized software and unexpected software. Autonomous systems can deploy new processes, call new tools, or alter their own operational stack in response to changing objectives. That makes the usual baseline logic harder to apply because the baseline is no longer a fixed human-defined state. The operational question becomes whether a change fits the system's declared behaviour pattern, not whether it matches a static image. That is a different control problem from traditional malware detection and patch validation.

Practical implication: use behavioural baselines and change provenance to judge autonomous system modifications.

Threat narrative

Attacker objective: The objective is to persist and act through an identity model that can no longer reliably bind actions to a human principal.

1. Entry occurs when an autonomous AI-operated entity is provisioned with valid identity and infrastructure privileges that let it act without a human gate on each step.
2. Escalation happens when the actor creates ephemeral accounts, requests additional access at runtime, and modifies its own toolchain or configuration to pursue an objective.
3. Impact results when the control environment can no longer attribute changes to a stable human owner, leaving change, access, and liability unresolved.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human-authored accountability is a control assumption, not a universal law. CIS Controls were built around the premise that a person can be held responsible for accounts, changes, and exceptions. That premise fails when the actor is autonomous because decisions and actions can be generated without a stable human operator behind them. The implication is that control design has to stop pretending all identity behaviour terminates in a person.

Access review cadences are too slow for machine-speed identity behaviour. Quarterly or annual reviews assume privilege persists long enough to be observed, certified, and removed. An autonomous actor can create, use, and discard access inside a much shorter window, which means review becomes a retrospective compliance ritual rather than a live governance control. Practitioners should treat this as an identity timing problem, not just an audit gap.

Runtime governance gap: This is the specific failure mode the article exposes. The gap is not that CIS Controls are absent, but that they presuppose a stable state and a known actor when the system itself can redefine both at runtime. Under OWASP-AGENTIC and NIST-AIRMF, that means governance must be evaluated against decision autonomy, not only against tool access or configuration state.

Behavioural baselines will matter more than static baselines as autonomy increases. The article is right to push practitioners toward expected-state thinking, but autonomous systems make expected state dynamic and self-modifying. That creates a governance problem for ZT-NIST-207 and NIST-CSF alike, because detection, authorisation, and recovery all depend on knowing what normal looks like. Teams need a model that can explain legitimate self-change without dissolving accountability.

Lifecycle governance now spans human, NHI, and autonomous actors in the same programme. The operational questions are converging: who owns the identity, how long should it exist, what can it access, and what evidence proves it was supposed to act. The difference is that autonomous actors can move through those stages faster and with more discretion than service accounts or human users. Practitioners should align lifecycle governance to actor behaviour, not to identity label alone.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why autonomous identity governance needs runtime visibility rather than periodic discovery.
• The NHI Lifecycle Management Guide shows how to close that visibility gap across provisioning, rotation, and offboarding before autonomous actors outpace review cycles.

What this signals

Runtime identity governance will become a board-level control concern as autonomy spreads. The practical shift is from asking whether an identity exists to asking whether its actions can still be attributed, bounded, and reversed. Teams that can map autonomous behaviour to decision provenance will be better placed to explain risk when controls no longer line up with human review cycles.

The next governance gap is not simply more automation, but more unreviewable automation. Organisations should expect CIS-style baselines to be supplemented by behavioural baselines, especially where autonomous systems can change their own operating state and request access dynamically.

As identity programmes converge, the strongest architecture will be the one that can govern human users, service accounts, and autonomous actors through a common lifecycle model. The NHI Lifecycle Management Guide is the right reference point for that shift, while NIST Cybersecurity Framework 2.0 remains useful for mapping the control outcomes.

For practitioners

• Map assumptions that depend on a human operator Identify every CIS-style control that assumes a person created, approved, reviewed, or reversed the action. Then mark the places where an autonomous actor can act without that human checkpoint.
• Rework account governance for short-lived identities Track ephemeral accounts, temporary privileges, and machine-created service identities as first-class assets. Review them on event timing, not just on scheduled certification cycles.
• Shift from static baseline checks to behaviour-based monitoring Compare observed changes against declared system behaviour over time, including legitimate self-modification. Preserve decision provenance so you can explain why a change was allowed.
• Tie authorization to execution time Design policies so access is checked when the action is taken, not only when the identity is provisioned. That matters most when an autonomous actor can request, use, and release privileges in one session.
• Align lifecycle controls across all actor types Use the NHI Lifecycle Management Guide to align provisioning, rotation, and offboarding logic across service accounts and autonomous identities, then connect it to your account review process.

Key takeaways

• CIS Controls assume a human principal behind each change, and that assumption becomes unreliable once autonomous systems can act independently.
• Machine-speed identity creation, access use, and self-modification can outrun periodic review, making governance timing as important as governance scope.
• Practitioners should reframe control design around decision provenance, behaviour-based baselines, and lifecycle governance across human, NHI, and autonomous actors.

Key terms

• Autonomous identity: An autonomous identity is a software actor that can choose actions, select tools, and decide when to execute without a human approval gate between those steps. In identity governance, that means the subject is not just authenticated or authorised. It is also making runtime decisions that change how access must be controlled and reviewed.
• Decision provenance: Decision provenance is the evidence trail showing why an identity acted, what data or context it used, and which process authorised the action. For autonomous actors, provenance matters as much as the action itself because accountability depends on reconstructing intent after execution, not merely logging that something happened.
• Runtime governance gap: A runtime governance gap is the space between a policy that exists on paper and the moment an identity actually acts. It appears when controls assume review, approval, or attribution can happen later, but the actor can create, use, and retire access before that later moment arrives.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: When the actor disappears: CIS Controls in a world of non-human corporations. Read the original.