Discovering and securing AI identities before governance drifts

At a glance

What this is: This is a governance analysis of AI identity discovery, showing that AI agents create new identity surfaces through the secrets, tokens, and service accounts they use.

Why it matters: It matters because IAM, IGA, PAM, and security teams need to govern agent access, ownership, and lifecycle with the same discipline used for human and machine identities.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Oasis Security's analysis of how to discover and secure AI identities

Context

AI identity governance starts with a simple question: which non-human identities are actually operating in the environment, and what can they reach? In practice, an AI agent is not just a model call. It is a runtime actor that relies on API keys, OAuth tokens, service accounts, and embedded permissions to act across systems.

The governance gap appears when organisations add assistants, workflows, and custom agents faster than they can map ownership, scope, and accountability. That leaves security teams with orphaned credentials, unclear responsibility, and weak traceability across cloud, SaaS, and internal services. For teams building a programme, the right starting point is the NHI Lifecycle Management Guide, because lifecycle discipline is what turns discovery into control.

Key questions

Q: How should security teams inventory AI agents before granting production access?

A: Start by building a register that links each agent to its owner, the identities it uses, the systems it can reach, and the data it can touch. Do not treat model deployment as proof of governance. Discovery must also capture hidden tokens, inherited service accounts, and any workflow that lets an agent act outside direct human review.

Q: Why do AI agents create more identity risk than traditional automation?

A: Because agents combine access, decision-making, and tool use in ways that can expand scope during runtime. Traditional automation usually follows a fixed path, but agents can iterate across systems and accumulate permissions indirectly. That makes entitlement visibility, ownership, and audit trails far more important than in script-based workflows.

Q: What breaks when AI agents have no clear owner?

A: Lifecycle control breaks first, followed by revocation, review, and accountability. An ownerless agent can persist after the creator leaves, keep active credentials, and continue accessing systems without anyone clearly responsible for its permissions or behaviour. That is how orphaned identities become a standing governance liability.

Q: How do organisations know if AI identity governance is working?

A: They should be able to answer three questions quickly: which agents exist, which credentials each one uses, and who is accountable for each identity’s lifecycle. If any of those answers require manual searching across teams, the governance model is still incomplete and the environment remains difficult to audit.

Technical breakdown

AI agents as identity-bearing actors

AI agents are not only software logic. They are identity-bearing actors that use credentials to interact with calendars, CRMs, data stores, and internal APIs. Their behaviour is shaped by the permissions attached to the identities they inherit or create, which means the real control point is not the model output but the access path behind it. Once an agent can plan, call tools, and repeat actions, the identity layer becomes the enforcement boundary. That is why agent governance cannot be reduced to model governance alone.

Practical implication: Map every agent to the identities it uses, then treat that mapping as part of access control and audit design.

Discovery, context, and secret sprawl

Discovery is the foundation of AI identity governance because you cannot govern what you cannot see. The problem is not only missing inventory. It is missing context: which model powers which agent, which secrets it uses, who owns it, and whether the credential is still valid. Secret sprawl often appears in configs and scripts, while inherited tokens make agents look legitimate even when they are not registered. This creates an identity estate that is broader than human IAM and less structured than traditional service account management.

Practical implication: Build a registry that links each agent to its credentials, owner, and data access so remediation starts from evidence, not guesswork.

Ownership as the anchor of accountability

Ownership is the control that turns AI access from a technical artifact into a governable identity. Without a named owner, agent access persists after the creator moves on, the use case changes, or the workflow is retired. That creates orphaned identities with active reach and no clear decision-maker for review, revocation, or exception handling. In identity terms, accountability is not a policy add-on. It is the condition that lets lifecycle controls work at all, especially when agents operate across teams and business units.

Practical implication: Tie every agent identity to an accountable owner and require lifecycle review whenever the owner, use case, or scope changes.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI identity sprawl is now a governance problem, not a model-management problem. The source article is right to focus on visibility because the real attack surface is the collection of identities agents use to act. When agents inherit tokens, service accounts, and embedded permissions, the programme is no longer managing one model but many reachable identity endpoints. That shifts the control question from model approval to identity inventory and relationship mapping. Practitioners should treat agent discovery as the first line of NHI governance.

Ownership failure is the named concept that explains why AI identities drift out of control. An agent without explicit ownership is an orphaned non-human identity, even if it is technically functioning. The article describes the silent accumulation of agents that persist after their creator leaves or the workflow changes, which means lifecycle responsibility has been detached from operational reality. That is a programme design failure because accountability was assumed to remain attached to the human builder. Practitioners need to recognise orphaned agent ownership as a distinct identity risk category.

Visible credentials are not enough when the access model is still over-permissive. Discovery improves traceability, but it does not solve the governance problem if agents can touch broad systems and sensitive data by default. The article’s emphasis on overprivilege shows that the issue is not just locating agents. It is understanding whether their entitlements were ever defensible at design time. NIST CSF access governance and OWASP NHI controls both point to the same conclusion: inventory without entitlement review leaves the risk intact.

Agentic AI governance now sits at the intersection of NHI lifecycle, compliance, and auditability. The article’s references to EU AI Act and NIST AI RMF traceability requirements are significant because regulators are moving toward evidentiary control, not informal assurance. That means discovery, ownership, secret hygiene, and activity logging are becoming operational proof points rather than optional controls. The practitioner conclusion is straightforward: if you cannot produce an audit trail for agent access, you do not have governable AI.

Identity blast radius is the right lens for agent governance. Every agent expands the number of identities, credentials, and permission paths that can be abused. Once that blast radius spans SaaS, cloud, and internal services, the problem becomes systemic rather than isolated. Practitioners should measure how far one agent can reach before they attempt to secure the agent itself.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• That same research found that 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• For the broader identity model behind this shift, see Top 10 NHI Issues for the controls that most often fail when identities outgrow visibility.

What this signals

Agent visibility will become a prerequisite for AI adoption, not a post-deployment cleanup task. As agent populations grow, teams that cannot tie each identity to an owner, credential, and access path will struggle to pass audit or contain misuse. The governance model has to shift from reactive secret chasing to continuous identity discovery, with the NHI Lifecycle Management Guide as the operational baseline.

Ownership drift is the signal that AI governance is already losing coherence. When teams cannot say who is accountable for an agent’s permissions, review cycle, or retirement, lifecycle controls will fail at the point of exception handling. That is why discovery tooling must feed IGA, PAM, and asset governance, not sit beside them.

Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation. That figure means the next stage of maturity is not more experimentation, but evidence-grade traceability aligned to NIST AI Risk Management Framework expectations.

For practitioners

• Inventory every AI agent and its identities Build a live register of agents, the tokens or service accounts they use, the systems they can reach, and the business owner responsible for each one. Treat discovery as an access control prerequisite, not a documentation task.
• Link agent ownership to lifecycle control Require named accountability for creation, scope changes, exceptions, and decommissioning so agent identities do not persist after the use case changes. Use the NHI Lifecycle Management Guide to align ownership review with rotation and offboarding processes.
• Score agent risk from actual access paths Assess each agent by what data it touches, which permissions it inherits, and whether its behaviour matches approved use. Prioritise high-risk agents that access sensitive data or use standing credentials with broad reach.
• Separate discovery from entitlement approval Do not treat a discovered agent as a trusted one. Put registration, ownership validation, and entitlement review before production access, especially when agents are connected to SaaS and cloud services.

Key takeaways

• AI identity governance fails when agents are deployed faster than they are inventoried, owned, and mapped to credentials.
• The scale problem is already visible, with most organisations expecting more agents while many current deployments have already exceeded intended scope.
• Security teams need lifecycle and accountability controls for AI identities before access becomes too distributed to audit or revoke cleanly.

Key terms

• AI Identity: An AI identity is the set of credentials, permissions, and accountability links that lets an AI system act across enterprise services. For governance, it is not the model itself that matters most, but the identity construct behind it, including ownership, lifecycle state, and the systems it can reach.
• Agentic Access Management: Agentic Access Management is the practice of governing AI agents as runtime actors with identities, permissions, and lifecycle controls. It extends identity discipline beyond static non-human accounts by tracking ownership, credential use, access paths, and the accountability needed to audit actions after they occur.
• Identity Blast Radius: Identity blast radius is the amount of damage or spread an identity can create if it is misused, overprivileged, or left unmanaged. For AI agents, the blast radius includes every system, dataset, and workflow reachable through the credentials and permissions the agent can activate.
• Orphaned Identity: An orphaned identity is a credentialed account or agent that continues to exist without an accountable owner or active governance process. In AI environments, orphaning often happens when the creator leaves, the workflow changes, or the agent is never formally retired, leaving active access behind.

Deepen your knowledge

AI identity discovery, ownership, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from human and service account governance into agent oversight, it is worth exploring.

This post draws on content published by Oasis Security: How to discover, map, and secure AI Identities. Read the original.