Continuous context is becoming the baseline for AI agent security

At a glance

What this is: This is an analysis of Zenity’s shift toward continuous, contextual AI security, with the central finding that snapshot-based controls miss agent risk as it evolves across time, state, and interactions.

Why it matters: It matters because IAM and security teams need to govern AI agents as living identities whose permissions, memory, and runtime behavior change faster than periodic review cycles can track.

👉 Read Zenity's analysis of continuous context and Guardian Agents for AI security

Context

AI agent security is no longer a point-in-time problem. The control gap appears when teams assume a scan or prompt review captures the state of an agent that can rewrite instructions, change memory, and alter execution as it works. That assumption breaks the moment behaviour becomes session-long rather than request-by-request.

For IAM and NHI programmes, the practical issue is that access, posture, and runtime signals now move together. If configuration drift, connector changes, and chained actions are not assessed as one control plane, the organisation sees fragments instead of risk. Continuous context becomes the operating condition, not a feature add-on.

Key questions

Q: How should security teams govern AI agents that change configuration and behaviour during runtime?

A: Security teams should govern AI agents as stateful identities, not static assets. That means combining runtime detection, live posture visibility, and permission correlation so the control model tracks what the agent can do now, not what it could do at last review. The priority is continuous oversight across the session, not periodic inspection.

Q: Why do snapshot scans fail to manage AI agent risk effectively?

A: Snapshot scans fail because they capture a moment that may already be obsolete when the next interaction begins. AI agents can rewrite instructions, add connectors, and change exposure between scans, so a stale posture view hides the conditions that create misuse or data leakage. Effective governance has to follow the state as it changes.

Q: What signals indicate that an AI agent has moved outside its intended risk boundary?

A: Look for permission drift, unexpected connector additions, chained tool use across multiple turns, and runtime actions that line up with posture weaknesses. A single alert is less useful than evidence that configuration exposure and live behaviour are reinforcing each other. That combination shows the agent has crossed from theoretical risk into active control failure.

Q: How should teams combine AI agent monitoring with identity governance controls?

A: Teams should anchor agent monitoring to lifecycle governance, access oversight, and privileged control paths so identity state is reviewed alongside behaviour. That approach helps close the gap between who or what the agent is authorised to be and what it is actually doing in production. The goal is one operating model, not separate security silos.

Technical breakdown

Stateful runtime detection for multi-step AI agent attacks

Stateful runtime detection keeps interaction history and evaluates requests as a chain instead of as isolated prompts. That matters because many AI agent attacks look harmless in a single step and become malicious only after steering, memory updates, or tool selection across multiple turns. A stateful engine can correlate the sequence, not just the content, and spot behaviour such as gradual data exfiltration, prompt injection, or tool misuse. The architectural shift is from per-event filtering to session-aware analysis that preserves context across users, agents, and execution paths.

Practical implication: teams need runtime controls that evaluate full interaction chains before the harmful action completes.

Real-time exposure visibility for changing AI agent permissions

AI exposure is dynamic because agents are deployed, reconfigured, and connected to new tools continuously. Snapshot scanning is therefore stale by design, especially when permissions or connectors change between review cycles. Real-time exposure visibility ingests those changes as events so posture reflects the current environment instead of a previous scan. In identity terms, this is the same problem NHI teams face with ephemeral credentials and fast-changing entitlements, except AI environments can mutate far more quickly and with less human notice.

Practical implication: teams should treat agent configuration changes and connector additions as immediate governance events.

Contextual risk correlation across posture, permissions, and runtime signals

Contextual risk correlation ties posture weaknesses, permission drift, and runtime detections into one risk object. Without that correlation, teams chase isolated alerts and cannot tell whether a misconfiguration is actively being used or is only a theoretical exposure. The real value is not alert volume reduction alone. It is prioritisation based on how exposure and behaviour intersect at the same moment, which is closer to how AI systems create breach conditions in production.

Practical implication: security operations should unify posture and runtime telemetry into a single AI agent risk view.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous context is the right control model for AI agents because risk now develops across state, not moments. Periodic scans assume the environment is stable long enough to observe, classify, and act. Zenity’s framing shows that AI agents mutate through configuration changes, memory updates, and chained interactions, so the control plane must track the sequence rather than the snapshot. Practitioners should understand that stateful AI behaviour cannot be governed like a static workload.

Snapshot-based security is an assumption failure, not just a tooling gap. The assumption was designed for conditions where permissions and behaviour are observable at a review point. That assumption fails when agents can alter their own context, inherit new connectors, and continue executing before the next scan. The implication is that AI governance has to stop treating time as a neutral factor in risk assessment.

Contextual risk correlation is a named concept worth carrying into identity governance. The practical problem is not the presence of alerts, but the inability to prove whether posture drift and live behaviour are related. By joining permissions, runtime action, and exposure into one object, teams can reason about whether a control failure is theoretical or already active. That is the level of correlation IAM and NHI programmes need for AI agents.

Guardian Agents signal a shift from observing AI to supervising AI identities in motion. Once agents can act across systems with changing permissions, the old boundary between security monitoring and identity governance narrows. The discipline now has to account for runtime authorisation, behavioural drift, and control enforcement in the same operational model. Practitioners should expect AI agent governance to converge with NHI lifecycle and privileged access oversight.

AI agent governance is becoming a control-plane problem, not a policy-document problem. The article shows a category moving toward real-time supervision because the risk surface changes faster than human review cycles. That direction validates continuous governance models and makes disconnected point tools harder to defend. Teams should re-evaluate whether their current agent controls actually operate at the speed of execution.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That gap makes continuous context the operational prerequisite, not a design preference, as explored in OWASP Agentic Applications Top 10.

What this signals

Continuous context is becoming the minimum viable operating model for AI governance. As agents gain more tools and more autonomy, periodic review will miss the control changes that actually matter. Teams should expect runtime supervision, lifecycle governance, and incident response to converge around the same telemetry set, especially where the NHI Lifecycle Management Guide already defines how identity state should change over time.

Only 52% of companies can track and audit the data their AI agents access, which means nearly half the market is operating with a blind spot that cannot support credible governance. That is a programme problem, not a dashboard problem. The same control weakness will show up in audit, forensics, and privileged access oversight unless teams unify posture and behavioural telemetry.

Contextual risk correlation is the bridge between AI agent monitoring and identity security operations. It turns separate posture and runtime findings into a single decision point, which is exactly what NHI and IAM teams need when execution changes faster than review cadences. For teams adopting agentic systems, the question is no longer whether to monitor. It is whether the monitoring model can keep pace with identity state in motion.

For practitioners

• Correlate posture and runtime telemetry Build a single view that links agent configuration, permissions, and live actions so a drift event can be judged in context instead of as an isolated alert.
• Treat connector changes as governance events Register new tools, data sources, and permissions as immediate security events, then force review of the resulting exposure state before the next autonomous task runs.
• Adopt session-level detection rules Write detections that inspect a full interaction chain, including memory updates and multi-turn tool use, rather than relying on one-prompt policy checks.
• Map AI agent oversight to NHI lifecycle controls Apply the NHI Lifecycle Management Guide to agent onboarding, permission change, and offboarding so identity state is not left behind after deployment or retirement.

Key takeaways

• AI agent risk is continuous, so snapshot-based controls miss the interactions that create real exposure.
• The evidence points to a structural governance gap, with 80% rogue behaviour and only 52% of organisations able to audit agent data access.
• Teams need runtime supervision tied to identity lifecycle controls if they want to govern AI agents at production speed.

Key terms

• Stateful threat detection: Stateful threat detection evaluates behaviour across a session instead of treating each request as independent. For AI agents, that means preserving context across prompts, memory updates, and tool calls so an attack that looks harmless in one step can be recognised as malicious when the sequence is complete.
• Contextual risk correlation: Contextual risk correlation is the practice of combining posture, permissions, and runtime activity into one risk view. It matters because a configuration weakness only becomes actionable when it is linked to live behaviour, allowing teams to distinguish theoretical exposure from active misuse.
• Guardian agent: A guardian agent is a supervising control that monitors AI agents in real time and enforces policy as they operate. In practice, it represents a shift from passive monitoring to active oversight of identity, behaviour, and execution timing across AI workflows.
• Real-time exposure visibility: Real-time exposure visibility means seeing current agent permissions, connectors, and configuration state as they change, rather than relying on the last scan. It is essential where AI systems evolve continuously and stale posture data can no longer support trustworthy decisions.

Deepen your knowledge

AI agent runtime governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agents whose permissions and behaviour change in production, it is worth exploring.

This post draws on content published by Zenity: The Shift to Continuous Context and the Rise of Guardian Agents. Read the original.