Enterprise GenAI security depends on controlling machine identities

At a glance

What this is: This analysis argues that enterprise GenAI security hinges on protecting backend infrastructure, secrets, and machine identities as AI agents become more autonomous.

Why it matters: It matters because IAM teams now have to govern AI agents and supporting workloads as non-human identities with privileged access, not as ordinary application users.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read CyberArk's analysis of securing enterprise GenAI backbones and AI agents

Context

Enterprise GenAI security is increasingly an identity problem. As AI agents move from assistive tools to autonomous software entities, they inherit execution authority, tool access, and access to sensitive data paths that were never designed for non-human identities at scale. That shifts the core question for IAM teams from whether the model is safe to whether the surrounding infrastructure can constrain, observe, and revoke what the agent can do.

CyberArk's article frames the issue around the GenAI backbone, meaning the APIs, models, data stores, deployment environments, and machine identities that make enterprise AI operational. That is a useful framing because these components often carry broader privileges than the application itself. For practitioners, this is not typical shadow risk. It is the predictable consequence of deploying high-trust automation into environments that still depend on static credentials and broad access grants.

Key questions

Q: How should security teams govern AI agents as non-human identities?

A: Security teams should govern AI agents like any other privileged non-human identity: assign ownership, define purpose, limit scope, and remove access when the task ends. The key is to bind each agent to a business use case, a credential lifecycle, and auditable controls so autonomy does not become standing privilege.

Q: When does GenAI create more identity risk than business value?

A: GenAI creates more identity risk than value when the organisation cannot explain who or what has access, why that access exists, and how quickly it can be revoked. If the deployment depends on permanent credentials, broad roles, or weak monitoring, the operational burden already exceeds the security margin.

Q: What is the difference between zero trust and zero standing privilege for AI agents?

A: Zero Trust Architecture assumes every request must be verified, while zero standing privilege removes persistent access entirely and provisions rights only when needed. For AI agents, the two work together: zero trust limits what the agent can reach, and zero standing privilege limits how long it can keep that reach.

Q: How can organisations reduce the blast radius of compromised GenAI credentials?

A: Organisations can reduce blast radius by shortening credential lifetime, narrowing scope, isolating sessions, and monitoring behaviour centrally. The goal is to make any compromised token useful for only a small task window, with enough logging to detect misuse before it spreads across the backend stack.

Technical breakdown

Why GenAI backbones expand the NHI attack surface

Enterprise GenAI applications sit on top of APIs, databases, deployment environments, and service integrations that already hold privileged access. When AI agents and scripts interact with that stack, each workload becomes a non-human identity with authentication, authorisation, and lifecycle requirements. The attack surface grows because compromise does not have to target the model itself. An attacker can abuse exposed tokens, over-privileged service accounts, or weak session controls to reach the infrastructure behind the model and then move through data and control planes.

Practical implication: Treat the GenAI backbone as a privileged identity environment and inventory every machine identity before broad rollout.

How AI agents change secret and access governance

AI agents are not just chat interfaces. Once they can make decisions and call tools, they need credentials that let them access downstream systems, sometimes other agents, and often sensitive data. That makes secret rotation, scope limitation, and lifecycle enforcement essential. Static API keys and long-lived tokens are especially risky because they create standing access for entities that may be ephemeral, task-scoped, or hard to observe. If the credential cannot be rotated automatically, the design should be reconsidered rather than accepted as a permanent exception.

Practical implication: Use time-bound credentials, enforce rotation, and reject permanent secrets for agents that can act on sensitive systems.

Zero trust and ZSP for autonomous workloads

Zero Trust Architecture matters here because agent behaviour cannot be assumed to remain stable. A compromised agent or backend script can look legitimate while still exceeding its intended scope. Zero Standing Privilege reduces the damage window by provisioning access only when needed and removing it when the task ends. In GenAI environments, this should be paired with session isolation, logging, and behavioural monitoring so teams can tell whether an identity is acting within its service boundary or drifting into unintended actions.

Practical implication: Apply ZSP and session monitoring to agent workflows so access is brief, observable, and revocable.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

GenAI governance is becoming NHI governance. The centre of gravity has moved from model behaviour alone to the identities and credentials that let GenAI systems operate. Once autonomous agents can call tools and access enterprise data, the relevant control domain is no longer just application security. Practitioners should govern these entities as NHIs with explicit ownership, scoping, and revocation paths.

Ephemeral software still creates standing risk if the credential is permanent. An AI agent may be temporary, but the API key, certificate, or service account it uses can outlive the task by weeks or months. That mismatch creates trust debt: the organisation continues to trust a credential whose business purpose has already changed. Teams should treat lifecycle mismatch as a control failure, not an operational inconvenience.

Least privilege is necessary but not sufficient for agentic systems. Agent-driven workflows can chain multiple reads, writes, and tool calls across systems in ways that role design alone does not capture. Access must be constrained by task, context, and time, not just by a coarse role label. Practitioners should expect to combine RBAC with policy enforcement, audit, and session controls to keep agent behaviour inside a usable blast radius.

AI agent sprawl will force governance teams to separate visibility from approval. The article’s scale assumptions are realistic: more machine identities than humans, multiple deployment environments, and growing pressure to move quickly. That combination makes manual approval workflows brittle. The field needs governance patterns that can discover, classify, and monitor agent identities continuously, then route only the highest-risk cases to human review.

Identity blast radius will become the decisive GenAI security metric. The issue is not whether an agent is intelligent enough to be useful. The issue is how much damage a compromised identity can do before detection and revocation. Teams should use blast radius as the practical test for every GenAI design choice, because that is what determines whether the deployment is governable.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That gap makes the case for OWASP NHI Top 10 and Ultimate Guide to NHIs , Key Challenges and Risks stronger as agent deployments scale.

What this signals

Identity governance for GenAI should be designed around blast radius, not just authentication strength. As agent fleets grow, the practical challenge is not whether an identity can log in but how much damage it can do before controls intervene. Teams that already struggle with service-account sprawl should expect the GenAI layer to accelerate that problem unless they adopt discovery, short-lived access, and tighter session boundaries.

With 96% of technology professionals already seeing AI agents as a growing threat, the governance gap is now structural rather than experimental. That means security programmes need a control plane for agent identity that sits alongside workload identity and privileged access management, not inside ad hoc application teams. The likely next step is tighter alignment between NHI governance, Zero Trust Architecture, and agent approval workflows.

For practitioners

• Inventory every GenAI-related non-human identity Map APIs, service accounts, tokens, certificates, and scripts that support GenAI workloads, then assign an owner and business purpose to each identity.
• Replace standing credentials with time-bound access Use just-in-time provisioning or short-lived credentials wherever possible, and reject designs that rely on permanently assigned API keys or tokens.
• Enforce rotation for secrets tied to backend automation Set rotation SLAs for credentials used by agents, pipelines, and scripts, and escalate any secret that cannot be automatically rotated.
• Constrain agent scope to specific tasks and systems Limit each agent to the minimum tools, data sets, and environments required for the job, then revoke access immediately after task completion.
• Add behavioural monitoring to GenAI sessions Log agent actions, API calls, and privilege changes centrally so security teams can detect drift, misuse, and unauthorized access paths quickly.

Key takeaways

• Enterprise GenAI security is an identity problem first, because the infrastructure behind the model carries the privileges attackers want.
• Autonomous AI agents turn static secrets, broad roles, and weak auditability into a governance liability that scales with deployment speed.
• The most defensible response is to shorten credential lifetimes, constrain agent scope, and monitor behaviour continuously across the GenAI backbone.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software rather than a person. In GenAI environments that includes service accounts, API keys, tokens, certificates, scripts, and autonomous agents that can authenticate, call tools, and access data under enterprise control.
• Zero Standing Privilege: Zero standing privilege is an access model in which no identity keeps persistent permissions after the job is done. For AI agents and backend automation, it reduces the window for misuse by granting access only when needed and revoking it immediately after use.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can cause before it is detected and contained. In GenAI systems, it depends on credential scope, session duration, data reach, and how quickly teams can revoke access across the backbone.

Deepen your knowledge

GenAI backbone security and AI agent identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous workloads and machine identities, it is worth exploring.

This post draws on content published by CyberArk: Securing the Backbone of Enterprise GenAI. Read the original.