By NHI Mgmt Group Editorial TeamPublished 2025-09-17Domain: Agentic AI & NHIsSource: Anetac

TL;DR: Agentic AI is pushing identity governance beyond static IAM, because 85% of organizations already deploy AI agents in at least one workflow and 20% of identity incidents now involve AI identities, according to the source article. Static controls cannot keep pace with access-chains that form and disappear at runtime.


At a glance

What this is: This is an Anetac analysis of why agentic AI needs a dynamic system of record that can map access-chains across human, NHI, and AI identities.

Why it matters: It matters because IAM, PAM, and IGA teams now have to govern identities that act, delegate, and recompose access at runtime, not just identities that sit in a directory.

By the numbers:

👉 Read Anetac's analysis of dynamic identity records for agentic AI


Context

Agentic AI identity governance is no longer a theoretical extension of IAM. Once an AI system can plan, decide, and act across tools and environments, the old assumption that access can be reviewed after the fact starts to break down, especially when the identity chain includes humans, NHIs, and agent-to-resource paths.

The article argues that enterprises need a dynamic system of record because access-chains are now created and consumed in motion. That is the right framing for practitioners: discovery, delegation visibility, and behavioural context have to move together if organisations want to understand what an agent actually touched, who authorised it, and which NHI credentials were involved.


Key questions

Q: How should security teams govern access-chains in agentic AI environments?

A: Security teams should govern access-chains as the primary unit of control, not isolated entitlements. That means correlating human delegation, NHI credentials, tool usage, and downstream resource access in one view. The goal is to understand what the agent actually did at runtime, because static ownership and directory data will not show how privilege was assembled during execution.

Q: Why do static IAM and PAM controls struggle with agentic AI?

A: Static IAM and PAM struggle because they assume privilege is stable long enough for review, approval, and remediation cycles to matter. Agentic AI can create, use, and discard effective access within a short session, which makes snapshot governance too slow. The control problem is speed of change, not lack of policy language.

Q: What do identity teams get wrong about human-in-the-loop for AI agents?

A: Teams often assume human-in-the-loop can be applied at every access decision, but that does not scale across high-volume agent workflows. The better model is selective human intervention at high-risk breakpoints, supported by behavioural thresholds and lineage data. Otherwise the approval step becomes habitual and loses governance value.

Q: What is the difference between identity inventory and a dynamic system of record?

A: Identity inventory tells you what exists at a point in time. A dynamic system of record shows how identities are being combined, delegated, and used across environments in motion. For agentic AI, that difference matters because governance depends on runtime relationships, not just registered objects.


Technical breakdown

Access-chains are the real control plane for agentic AI

An access-chain is the full path from identity to resource, including direct, indirect, and inherited access. For agentic AI, that chain can include a human requester, a delegated NHI, a tool call through MCP, and a downstream SaaS or cloud action. Traditional directory-based views miss those relationships because they record entitlements, not runtime composition. The operational problem is not just who has standing access, but which identities are combined during execution and how quickly those combinations change.

Practical implication: map identity-to-resource paths continuously, not only at provisioning or review time.

Why static IAM and PAM controls fail at agent speed

Static IAM and PAM assume an identity remains stable long enough for policy, approval, and review cycles to catch up. Agentic systems collapse that timeline because they can create, use, and abandon access within a short execution burst. That makes human-paced gatekeeping insufficient on its own, especially when multiple workflows, environments, and delegated credentials are involved. The technical issue is not that controls disappear, but that their observation window is too slow for the behaviour being governed.

Practical implication: shift from periodic entitlement checks to continuous runtime observability and decision logging.

MCP, OpenTelemetry, and lineage traceability for AI identities

Model Context Protocol provides a standardised way for agents to connect to tools and data sources, while OpenTelemetry can expose execution telemetry that helps security teams trace behaviour. On their own, neither solves governance, but together they support identity mapping, activity monitoring, and lineage analysis across heterogeneous stacks. The key architecture point is vendor-agnostic visibility: if agentic workloads span GitHub, Entra ID, SaaS, and on-prem systems, governance has to correlate identity events across all of them, not just one control plane.

Practical implication: align agent telemetry, identity data, and access-chain monitoring into one correlation workflow.


NHI Mgmt Group analysis

Dynamic identity governance is becoming the only workable model for agentic AI. Static inventory and periodic recertification were designed for identities that change slowly enough to be measured in snapshots. Agentic AI changes the operating assumption because access is assembled, used, and discarded in motion across multiple systems, which makes the older review model structurally incomplete. Practitioners should treat dynamic identity governance as the baseline for runtime-aware control, not as an optional enhancement.

Access review was designed for stable privilege, and that assumption fails under autonomous behaviour. Access review assumes a privilege exists long enough to be observed, certified, and removed on a schedule. When an agent independently selects tools and executes actions within a session, the review window can close before governance ever sees the effective access state. The implication is that identity programmes must rethink what is being governed when the actor is not waiting for approval cycles.

Identity blast radius is now shaped by access-chains, not isolated entitlements. The article’s strongest contribution is its focus on lineaged identity exposure across human, NHI, and agentic components. That is the right unit of analysis because compromise or misuse in one link changes the practical reach of every other linked identity. Teams that still measure entitlement risk in isolation will understate the real exposure surface.

Agentic AI governance is now a cross-domain identity problem, not a niche AI problem. The same access paths that matter for human IAM, NHI lifecycle, and PAM governance now need to be understood together because the agent can traverse all three. That makes lifecycle, observability, and delegation governance part of one control story rather than separate operating models. Practitioners should align those programmes around shared access-chain evidence.

Runtime observability is becoming the new source of truth for identity security. The article is pointing to a shift from declarative policy to observed behaviour as the decisive evidence layer. Once agents can create intermediate states that never appear in a static snapshot, the security value moves to what was actually executed, by which identity, and against which resource. Practitioners should treat behavioural lineage as a first-class control artefact.

From our research:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot see the full machine side of the access chain.
  • For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance mechanics that dynamic agent identity programmes now have to extend.

What this signals

Access-chain governance will become the deciding control plane for agentic programmes. Teams that keep measuring identity risk as a list of entitlements will miss the runtime combinations that actually matter. The practical shift is toward lineage evidence, behavioural context, and a unified view across human, NHI, and agent identities.

With 71% of NHIs not rotated within recommended time frames, per Ultimate Guide to NHIs, the agentic problem compounds an already weak lifecycle baseline. If your programme cannot govern long-lived machine identities, it will struggle even more when those identities participate in autonomous execution chains.

Dynamic Systems of Record will likely sit between IAM, PAM, and AI governance stacks. That position is not about replacing existing controls. It is about making identity state observable enough that the rest of the programme can respond to what agents are doing in real time.


For practitioners

  • Inventory access-chains across all identity types Build a single map of human, NHI, and agentic access paths so you can see direct, indirect, and inherited access in one view. Include delegated credentials, tool connectors, and downstream resource paths.
  • Correlate agent telemetry with identity events Tie execution logs, identity changes, and resource access into one monitoring workflow so agent behaviour can be reconstructed after the fact. This is especially important where MCP, SaaS, and cloud systems all participate in the same chain.
  • Move from snapshot reviews to runtime controls Reduce reliance on periodic access reviews for fast-changing agentic workflows and replace them with continuous monitoring, behavioural baselines, and alerting on unusual access-chain formation.
  • Separate breakpoints from automated execution Reserve human intervention for high-risk conditions rather than every access decision, otherwise verification becomes noise and operators will over-approve by habit.

Key takeaways

  • Agentic AI forces identity governance to move from snapshots to runtime evidence.
  • The real risk surface is the access-chain, where human delegation and NHI credentials combine with agent action.
  • Practitioners should treat dynamic identity visibility as the prerequisite for safe agentic adoption, not as a later optimisation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agentic AI identity, tool use, and delegated access are central to the article.
OWASP Non-Human Identity Top 10NHI-03The article focuses on machine identities, access chains, and lifecycle visibility.
NIST CSF 2.0ID.AM-1Continuous discovery and identity inventory are core to the dynamic system of record.

Map agent tool access, delegation, and runtime behaviour against agentic AI risks before broad deployment.


Key terms

  • Access-chain: The full path an identity follows to reach a resource, including direct, indirect, inherited, and delegated access. In agentic environments, the chain can span humans, NHIs, tools, and downstream systems, which makes it the practical unit of governance rather than a single entitlement.
  • Dynamic system of record: A live identity record that captures how identities are being used, linked, and changed in motion, not just what was provisioned originally. For agentic AI, it has to reflect runtime delegation, behavioural context, and access-chain composition if governance is to stay current.
  • Identity vulnerability management: The practice of finding and reducing identity-specific weaknesses such as misaligned access, toxic entitlements, weak controls, and exposed credentials. In this article’s context, it extends across human, NHI, and agentic identities and focuses on behavioural risk, not just configuration state.

What's in the full article

Anetac's full blog covers the operational detail this post intentionally leaves for the source:

  • Specific deployment patterns for MCP, GitHub, and Microsoft Entra ID in agent discovery and monitoring
  • Vendor-described support model for LangChain and OpenTelemetry ingestion across agent stacks
  • Examples of how Anetac categorises identities in motion and maps access-chain behaviour
  • Forward-looking roadmap notes on Shadow AI detection and agent-to-agent support

👉 Anetac's full post covers access-chain mapping, runtime monitoring, and roadmap details for agentic identity governance

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org