By NHI Mgmt Group Editorial TeamPublished 2026-07-08Domain: Agentic AI & NHIsSource: Oasis Security

TL;DR: Claude Tag gives each Slack channel its own AI agent identity, with separate credentials and audit trails, but channel-based access still creates standing NHI exposure across connected tools, according to Oasis Security. The governance gap is not attribution, it is ownership, lifecycle control, and cross-platform visibility for every agent credential.


At a glance

What this is: Claude Tag models an AI agent as its own security principal, which sharpens the gap between attribution and governance for channel-shared non-human access.

Why it matters: IAM, IGA, and PAM teams need to decide how agent credentials are discovered, owned, scoped, and revoked when a channel can invoke the same access for many people.

By the numbers:

👉 Read Oasis Security's analysis of Claude Tag and agent identity governance


Context

Claude Tag puts an AI agent inside a familiar collaboration workflow, but the access model is not familiar at all. A channel can invoke the agent under its own identity, which means the security question shifts from human sign-in to non-human identity governance, including ownership, scope, and revocation.

That matters because agent identity looks neat in logs while still creating shared standing access across tools. The result is a governance gap: attribution becomes cleaner, but the identity team still has to discover which agents exist, who can invoke them, and whether their credentials are being controlled like the rest of the NHI estate.


Key questions

Q: How should security teams govern AI agents that have their own identity?

A: Treat each agent as a non-human identity with a named owner, a defined scope, and a lifecycle. Then map the humans and channels that can invoke it, because shared invocation is where accountability breaks down. Governance has to cover discovery, certification, rotation, and revocation, not just audit logging.

Q: Why do channel-shared AI agents create more risk than single-user assistants?

A: Channel-shared agents collapse individual accountability into group access. A person can trigger the same agent identity without holding the underlying permissions themselves, which means the effective access model is broader than the human user’s own entitlements. That widens blast radius and makes access reviews less reliable.

Q: What breaks when agent identity is tracked only in logs?

A: Logs show what the agent did, but they do not show whether the right people were allowed to invoke it or whether the credential should still exist. Without consumer mapping and lifecycle control, the organisation can explain activity but not prove governance. That leaves attribution without accountability.

Q: How do IAM teams decide when to revoke an AI agent’s access?

A: Revoke access when the project ends, the channel changes, the membership base shifts, or the task no longer requires the capability. Agent access should be reviewed on the same lifecycle triggers used for other NHIs, but with extra attention to the invoking group, because that is often where standing access survives.


Technical breakdown

Agent identity as a security principal

Agent identity treats an AI agent as its own principal, with separate credentials, an audit trail, and tool-specific access rather than borrowed human permissions. In practice, the access path is mediated by a proxy or boundary control that injects credentials at request time and constrains outbound connections to approved hosts. That reduces direct credential exposure but does not eliminate shared access risk, because the same agent identity can be invoked by multiple humans in the same channel. The architectural shift is from per-user delegation to per-agent entitlement, which changes how access is assigned and reviewed.

Practical implication: inventory agent principals separately from human accounts and treat each as an NHI with explicit ownership.

Why attribution is not governance

Clean logs do not equal controlled access. When an agent acts under its own identity, each action can be attributed to the agent account, but the people who triggered that action may be invisible unless channel membership and consumer mapping are tracked. That creates a split between who caused the action and who technically held the permission. Governance therefore has to sit above the tool log, linking the credential, the channels that can invoke it, and the humans inside those channels. Without that map, review and accountability remain partial.

Practical implication: map every agent credential to its consumer groups and review those memberships as part of access governance.

Standing access versus just-in-time agent grants

The current pattern described here is standing access wrapped in an agent interface: one provisioned credential set per channel, live until revoked. Anthropic’s stated direction toward just-in-time grants points to a more constrained model, but the core problem remains the same if the credential lifecycle is unmanaged. NHI governance has always depended on knowing when access starts, what it can reach, and when it ends. Agent identity simply makes that lifecycle more dynamic and more distributed across platforms.

Practical implication: align agent access reviews with lifecycle events such as project closure, membership changes, and task completion.


Threat narrative

Attacker objective: The objective is to use shared agent access to reach enterprise systems and data without each human invoker holding direct permission.

  1. entry: a user in a Slack channel invokes an AI agent that already has been connected to enterprise tools through a provisioned identity and proxy boundary.
  2. escalation: the shared channel model lets multiple people reach the same agent principal, so access extends beyond any single human’s original permissions.
  3. impact: the agent can query systems, read repositories, or perform operational tasks under its own identity, creating standing NHI exposure across connected services.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Agent identity does not remove NHI risk, it relocates it. Once an AI agent is provisioned its own credentials, the central problem becomes governance of a new non-human principal rather than human delegation. That means discovery, ownership, consumer mapping, lifecycle control, and revocation now apply to the agent estate as directly as they do to service accounts. The practitioner conclusion is simple: if an agent can act independently in a channel, it must be governed as an identity, not as a feature.

Attribution solves evidence, not accountability. A clean audit trail is useful only when the organisation can also explain who was allowed to invoke the agent and why. Shared channel access breaks the assumption that one identity equals one accountable user, which is why identity teams need to govern consumers, not just principals. The practitioner conclusion is that log fidelity without governance mapping leaves a blind spot, even when every action is technically attributable.

Channel-shared agent access is a named governance gap, not a temporary implementation detail. The model creates one credential set that many people can trigger, which means least privilege is no longer evaluated only at provision time. The practitioner conclusion is to treat this as a distinct control domain across IGA, PAM, and NHI management, because the access path now lives in collaboration spaces as much as in infrastructure.

Agent lifecycle must be managed as a first-class NHI lifecycle. Rotation, recertification, and decommissioning become meaningless if the human membership that can invoke the agent is left unchanged. The practitioner conclusion is that offboarding and access review must cover both the agent credential and the channel membership that activates it.

Agent identity accelerates the need for cross-platform NHI visibility. One vendor can harden its own agent model, but no single product can explain the full estate across Slack, code systems, analytics tools, and internal agents. The practitioner conclusion is that the control plane now has to be organisational, not product-specific, because the identity problem spans multiple platforms and multiple owners.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, according to the same guide.
  • For a deeper breach lens on unmanaged machine access, see 52 NHI Breaches Analysis, which traces how overlooked credentials become persistent attack paths.

What this signals

Channel-based agent access will force identity teams to extend governance into collaboration platforms. Once an agent can be invoked by a group rather than a single user, the review object is no longer just the principal. It becomes the principal, the consumer set, and the channel membership that activates the access. That is a structural change for IGA and PAM programmes, not a workflow tweak.

Agent identity creates an ephemeral trust debt. The more agents are allowed to act under their own credentials across tools, the more important it becomes to know which of those credentials are still live, who can trigger them, and whether the access is tied to an active business purpose. Without that view, the organisation accrues hidden non-human access that looks clean in logs but remains difficult to retire.


For practitioners

  • Inventory every agent principal Build a register of AI agents, the tools they can reach, the channels that can invoke them, and the human owner for each credential set. Use the register to spot shared access and orphaned accounts before they spread across collaboration workflows.
  • Map consumers to each agent credential Tie each agent identity to the exact channels, groups, or projects that can activate it so review teams can see who is effectively using the access. This consumer mapping should be part of every access review and offboarding event.
  • Apply lifecycle controls to agent access bundles Rotate, recertify, and decommission agent credentials when projects end, channel membership changes, or invocation rights are no longer required. Treat the credential and the invoking group as a single governance object.
  • Separate attribution from approval Do not assume that a clear audit trail means the access was appropriate. Require a human owner and an approval record for every agent capability, especially where a channel can hand work to the agent without per-user permission checks.

Key takeaways

  • AI agent identity solves attribution before it solves governance, which leaves a blind spot in shared access models.
  • The scale problem is not just the agent credential, but the channels and people that can activate it.
  • IAM, IGA, and PAM teams need lifecycle controls for agent principals and consumer groups, or agent sprawl will outpace review.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent identity and tool use raise agentic authorization and delegation risks.
OWASP Non-Human Identity Top 10NHI-01Agent principals are non-human identities that need ownership and lifecycle control.
NIST CSF 2.0PR.AC-4The article centers on least-privilege access and access review for shared agent identities.
NIST Zero Trust (SP 800-207)The proxy and boundary model aligns with zero trust enforcement at request time.
NIST SP 800-53 Rev 5IA-5Agent credentials are authenticators that require rotation and controlled management.

Model agent invocation, tool scope, and approval boundaries before enabling channel-shared access.


Key terms

  • Agent Identity: An access model where an AI agent receives its own security principal, credentials, and audit trail instead of borrowing a human user’s identity. For autonomous or semi-autonomous workflows, the key governance question is not only what the agent can do, but who owns it, who can invoke it, and when its access ends.
  • Consumer Mapping: The practice of linking a non-human identity to the groups, channels, or systems that can actually activate its permissions. This matters because effective access often lives with the consumers, not only with the principal. In agent environments, consumer mapping is what turns hidden shared access into something reviewable.
  • Channel-shared Access: A pattern where multiple people can invoke the same AI agent principal through a shared workspace or channel. The access is not purely individual anymore, so accountability, approval, and offboarding must cover both the principal and the invoking audience. It is a governance problem as much as an authentication problem.
  • Agent Lifecycle: The full management cycle for an AI agent identity, including discovery, ownership, scoping, certification, rotation, and decommissioning. For agentic systems, lifecycle control must also account for the human groups that can trigger the agent, because those groups often determine the real blast radius of the access.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact agent access bundle model used in Slack and how it maps to connected systems.
  • The practical workflow for discovering which channels and people can reach a given agent principal.
  • The lifecycle questions teams should ask when a project ends, a user leaves, or an agent capability changes.
  • The source article's next-step guidance on bringing channel-shared access under governance.

👉 The full Oasis Security post covers channel-shared access, lifecycle concerns, and the next step in governing agent principals.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org