CIS partnership clarifies AI agent and MCP governance risks

At a glance

What this is: CIS, Astrix Security, and Cequence Security are extending CIS Controls into AI agent and MCP environments to address dynamic tool use, credential exposure, and uncontrolled data flows.

Why it matters: IAM, NHI, and PAM teams need a governance model that treats AI agents and the NHIs behind them as part of the identity perimeter, not just as another workload.

👉 Read Astrix Security's guidance on AI agent and MCP identity risks

Context

AI agent identity governance now spans both the agent and the non-human identities that let it act. The problem is not simply that AI systems are connected to tools, but that they can trigger tool use, API calls, and data movement across systems without the same human-paced checkpoints that IAM programmes usually assume.

MCP environments sharpen that problem because the protocol connects agents to tools and registries in ways that can expand access quickly. When credential exposure, ungoverned local execution, and third-party connections sit in the same control plane, traditional identity controls need to be applied to the whole interaction path, not just the login event.

Key questions

Q: How should security teams govern AI agents that depend on non-human identities?

A: Security teams should govern AI agents and their linked non-human identities as one access path. That means inventorying the agent, the secrets it uses, the systems it can reach, and the business owner responsible for revocation. If the agent can act independently, governance has to cover runtime authority, not just initial provisioning.

Q: Why do MCP environments create new identity governance risk?

A: MCP environments create risk because they connect agents to tools, registries, and data sources through dynamic trust relationships. The governance challenge is that access can expand through tool availability and connection logic, even when the original permission looked narrow. Teams need approval, logging, and review at the tool boundary, not only at authentication.

Q: What do teams get wrong about AI agent access reviews?

A: Teams often review the model or application but miss the linked credentials that make the agent operational. That leaves service accounts, OAuth tokens, and API keys outside the review scope even though they carry the actual privilege. Access review is only useful if it covers the full identity chain, including who can retire it.

Q: How do organisations decide whether AI agent controls are working?

A: Organisations should look for proof that every agent can be discovered, explained, and turned off without manual hunting. If ownership, entitlement scope, and expiry are not visible in the same record, the control is not working. The signal to watch is whether privileged access can be reconciled quickly after the agent changes role or is removed.

Technical breakdown

AI agent lifecycle governance in enterprise identity stacks

AI agent lifecycle governance covers how an agent is discovered, provisioned, granted access, monitored, and retired across its operational life. In practice, the lifecycle is not just the model or the application, but also the NHIs that the agent uses to reach APIs, data stores, and admin tools. That creates a compound identity problem: the agent may be ephemeral while its tokens, service accounts, and OAuth grants persist. Controls have to follow the agent and the linked credentials together, or the lifecycle becomes fragmented across IAM, PAM, and secret management domains.

Practical implication: inventory agent identities and the NHIs attached to them as one governed unit, not as separate assets.

Model context protocol security and tool-mediated access

Model Context Protocol, or MCP, gives AI systems a structured way to reach tools and data sources, but that convenience also creates a new trust boundary. The main risk is not MCP itself, but the combination of tool invocation, local execution, and registry trust that can let an agent move from a permitted request to a wider set of actions than originally intended. In identity terms, MCP shifts authorisation from a static request model to a dynamic interaction model where the path matters as much as the permission. That requires visibility into which tools are available, which are approved, and which data flows are actually occurring.

Practical implication: treat MCP servers, registries, and tool catalogs as governed identity infrastructure with approval, logging, and access review.

Continuous discovery for AI agents and linked NHIs

Continuous discovery matters because AI environments change faster than periodic access review cycles can capture. An agent can appear through a development workflow, inherit credentials, and start making API calls before any governance process has a complete record of its existence. That is why AI agent governance must be paired with NHI discovery and privilege analysis. The operational question is not whether a token exists, but whether the organisation can explain what the agent can do, which systems it can touch, and when that access should end.

Practical implication: build discovery into AI onboarding and offboarding so the access path is visible before the agent goes live.

Threat narrative

Attacker objective: The objective is to use AI-controlled execution paths and compromised NHIs to expand access, move data, and reach enterprise systems beyond the intended trust boundary.

1. Entry occurs when an AI agent is connected to tools, APIs, or registries through exposed or insufficiently governed non-human identities.
2. Escalation follows when the agent can invoke unapproved tools, reach local execution paths, or inherit broader access than the initial task required.
3. Impact appears when uncontrolled data flows or credential exposure let the agent access systems and data beyond its intended scope.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent governance now fails at the identity boundary, not the model boundary. This partnership is really about extending identity controls into environments where agents, tools, and registries interact dynamically. The field should stop treating AI risk as an application-only issue because the real governance gap sits in the identities that authorise action across systems. Practitioners need to govern the full execution path, not just the model output.

Managed AI access requires lifecycle thinking that most IAM programmes still do not apply to machine actors. The critical problem is not whether an AI agent can act, but whether the linked NHIs are discoverable, scoped, and retired with the same discipline used for other privileged identities. This is where IAM, PAM, and NHI governance converge, and where control ownership often fragments. Security teams should treat agent lifecycle and secret lifecycle as one operating model.

MCP introduces a named governance concept: tool-mediated trust expansion. Once a protocol lets an agent reach tools through registries and local execution paths, privilege can widen through connection logic rather than explicit role assignment. That changes the control conversation from static entitlements to runtime trust decisions. The implication for practitioners is clear: tool approval, registry governance, and data-flow oversight become part of identity security, not separate technical chores.

AI identity blind spots now expose the same structural weakness seen in classic NHI sprawl. Astrix Security states that agents and the NHIs behind them outnumber humans 100:1, which is why discovery cannot be treated as an occasional hygiene task. Whether the environment is human, NHI, or agentic, uncontrolled identity growth becomes a governance problem once access outpaces review. Practitioners need a single inventory view that can explain who or what can act, and on whose authority.

Security controls for autonomous systems must be measured by what they can constrain at runtime. Guidance built for conventional IT assets will not be enough if it cannot follow agents into execution timing, tool selection, and data movement. That is why companion controls for AI agents and MCP are likely to become a reference point for the next phase of identity governance. Teams should expect more cross-domain control mapping, not less.

From our research:

• AI agents and the non-human identities that power them bring great potential but also new risks, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why readers should also review OWASP NHI Top 10 for agentic risk patterns and control mapping.

What this signals

Tool-mediated trust expansion is the governance problem that will define the next wave of AI identity work. Once agents can reach tools through registries and local execution paths, identity teams have to watch the boundary where access becomes action, not only the point where a token is issued.

Astrix Security says agents and the NHIs behind them outnumber humans 100:1, which is a reminder that discovery gaps will grow faster than manual review cycles. For practitioners, that means continuous inventory, entitlement tracing, and offboarding discipline need to move into the same operating model.

Teams should also align AI agent governance with established identity and zero-trust thinking rather than treating it as a separate discipline. The control question is whether your programme can prove who or what acted, what it touched, and whether that access was still justified at the moment of execution.

For practitioners

• Map the agent-to-NHI dependency chain Document every AI agent, the service accounts, API keys, OAuth tokens, and certificates it uses, and record which systems each one can reach. Build the inventory so ownership, expiry, and offboarding are visible in the same control set.
• Classify MCP tools as governed access points Approve MCP servers, tool registries, and third-party connections through the same review process used for privileged integrations. Log which tools are available to each agent and remove any default access that is not required for the task.
• Apply runtime privilege checks to agent actions Require policy checks before agents can call high-risk APIs, write data, or trigger local execution. Do not rely on the model prompt alone to constrain behaviour, because the trust decision belongs at the action layer.
• Tie discovery to offboarding and rotation Use continuous discovery to find shadow agents and stale secrets, then revoke access when an agent is retired or repurposed. Pair discovery results with rotation evidence so the control record shows what changed and when.
• Review AI controls against CIS and NHI governance models Compare your current identity controls with the CIS Critical Security Controls guidance once the companion guides are released, and align them with NHI lifecycle practices rather than treating AI as a separate programme.

Key takeaways

• AI agent governance now depends on controlling both the agent and the NHIs that let it act.
• MCP and dynamic tool access widen the identity perimeter, so visibility and approval must move closer to runtime.
• Continuous discovery and offboarding discipline are now central to keeping AI identity sprawl from becoming unmanaged access.

Key terms

• AI Agent Lifecycle Governance: AI agent lifecycle governance is the practice of tracking an agent from creation to retirement, including the identities it uses to act. It extends ordinary lifecycle management to runtime behaviour, linked secrets, approval scope, and offboarding so the agent cannot outlive its justified access.
• Model Context Protocol: Model Context Protocol is a structured way for AI systems to connect to tools and data sources. In governance terms, it creates a new access boundary because the protocol can turn a simple model interaction into a multi-tool identity path that must be approved, logged, and reviewed.
• Non-Human Identity: A non-human identity is any machine or software identity that authenticates to systems, such as a service account, API key, token, or certificate. In AI environments, NHIs often carry the real authority that lets an agent reach data, tools, and administrative functions.
• Tool-Mediated Trust Expansion: Tool-mediated trust expansion is the tendency for an agent’s access to widen as it gains more tools, connections, or execution options. The risk is that privilege grows through integration choices rather than explicit authorisation, which makes the boundary harder to see and govern.

What's in the full analysis

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• Specific guidance on securing AI agents, MCP servers, and the non-human identities that connect them to enterprise systems.
• Practical lifecycle guidance for discovery, privilege reduction, and responsible deployment across AI-enabled environments.
• The partnership's planned companion guides for AI Agent Environments and MCP environments, including the control areas each one will address.
• Workshop and webinar context for translating the guidance into implementation decisions.

👉 Astrix Security's full article covers the partnership details and planned control guidance for AI environments.

Deepen your knowledge

AI agent identity governance and NHI lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model for agentic systems and the credentials behind them, it is worth exploring.