By NHI Mgmt Group Editorial TeamPublished 2026-06-27Domain: Agentic AI & NHIsSource: Semperis

TL;DR: Agent identities sit at the centre of a fast-moving governance problem because attackers already target identity systems to control access, and Microsoft’s Agent ID preview still leaves changing behaviours and APIs in play, according to Semperis. The critical gap is that agent identities are not people, so human IAM assumptions no longer hold.


At a glance

What this is: A practical guide to Entra ID agent identities and the identity-security risks they create in Microsoft environments.

Why it matters: It matters because IAM teams must govern agent identities alongside human and workload identities without assuming people-based controls will translate cleanly.

👉 Read Semperis' guide to Entra ID agent identities and attack paths


Context

Entra ID agent identities are machine identities, not human users, and that distinction changes how access, authentication, and governance should be handled. The article frames these identities as part of a broader identity security problem in Microsoft environments, where control of identity infrastructure can become control of the network.

That matters for IAM programmes because agent identities sit between traditional workload identity patterns and emerging AI-agent behaviour. The governance challenge is not only how to create them, but how to keep their permissions, tokens, and lifecycle aligned with operational reality as Microsoft’s preview features continue to evolve.


Key questions

Q: How should security teams govern Entra ID agent identities in production?

A: Treat agent identities as machine identities with explicit ownership, scoped permissions, and a documented lifecycle. Validate token claims, keep registration records aligned to the actual object used at runtime, and fold reviews into existing Entra ID governance rather than creating a separate exception path. The goal is traceable authority, not just successful creation.

Q: What breaks when agent identities are managed like ordinary user accounts?

A: Human account controls assume a person, a predictable login pattern, and a review cycle tied to employment or role change. Agent identities do not fit that model, so ownership, delegation, and offboarding become unclear. The result is weak accountability and a higher chance that permissions persist longer than intended.

Q: When should teams treat an Entra ID agent identity as too immature for production use?

A: Use that threshold when the registration process, token behaviour, and offboarding path are still changing or cannot be verified consistently in your tenant. If a feature is in preview and you cannot prove repeatable identity behaviour, production reliance creates governance risk. Stable control should follow stable object behaviour.

Q: Who should own access reviews for agent identities in Entra ID?

A: Access reviews should sit with the identity or platform team that can verify object ownership, delegated authority, and downstream use. The review must include the agent identity itself, the principal behind it, and any related service or application object. Without that chain, certification becomes a paper exercise instead of governance.


Technical breakdown

Entra ID agent identities and the agent registry model

The guide describes agent identities as first-class objects in Entra ID, with related concepts such as blueprint, principal, agent identity, and agent user used to keep the objects consistent across the walkthrough. That model matters because it gives administrators a way to separate the agent itself from the person or workflow that creates it. In practice, the agent registry is the control plane for registration, visibility, and later verification. When identity objects are split across multiple IDs and roles, governance fails if teams cannot tell which object owns which privilege or token relationship.

Practical implication: map each agent identity to a unique lifecycle owner and verify that the registry model matches how permissions are actually assigned.

Token claims and authentication flows for agent identities

The article highlights three authentication flows and asks readers to verify tokens and claims across them. That is the right focus because agent identities are only governable if claims reliably identify the actor, the scope, and the authentication path. In Microsoft environments, token shape matters as much as registration, since a weak or ambiguous claim set can blur the line between an approved agent and a broadly privileged service principal. For security teams, this is where identity proof and authorization context intersect, and where preview behaviour needs validation in the tenant rather than assumption from documentation alone.

Practical implication: validate token claims in your own tenant before relying on them for access decisions, logging, or conditional policy.

Where Entra ID agent identities can fail in practice

The guide warns that behaviours, APIs, and UI elements may change while Agent ID remains in public preview. That creates a governance risk that is easy to underestimate because the underlying identity object can outlive the operational assumptions built around it. In identity programmes, preview features often create false confidence when registration succeeds but downstream observability, access scoping, or offboarding is still immature. The failure mode is not just technical instability. It is governance drift, where the organization treats a moving target as if it were a stable identity pattern.

Practical implication: treat preview-based agent identities as controlled exceptions until their registration, claims, and offboarding behaviour are stable and tested.


NHI Mgmt Group analysis

Entra ID agent identities are not a new flavour of user account, they are a separate governance problem. The article is right to insist that these identities are not people, because human IAM assumptions about authentication flow, review cadence, and accountability do not map cleanly onto them. Once an identity can act on behalf of software behaviour rather than a person, the programme needs to treat it as a machine identity with its own lifecycle and oversight. Practitioner conclusion: govern agent identities with machine-identity controls, not user-centric shortcuts.

The real risk is identity boundary confusion, not just preview instability. Semperis’ walkthrough shows how blueprint, principal, agent identity, and agent user can become easy to conflate if the registry model is not understood. That confusion creates permission drift because teams lose track of which object owns registration, execution, and delegated access. Practitioner conclusion: require object-level ownership and entitlement traceability before allowing agent identities into production.

Agent identity governance sits on the same control plane as broader Entra ID risk. The article opens by noting that attackers target identity infrastructure because identity compromise can cascade into full-environment control. That means agent identities should be reviewed in the same programme context as service principals, enterprise applications, and other workload identities, not as a separate AI-only exception. Practitioner conclusion: fold agent identity reviews into existing identity security operations rather than creating an isolated process.

Public preview features create a governance assumption gap that security teams often miss. The preview status means behaviours, APIs, and UI elements can change, so the assumption that an identity pattern is stable enough for durable control is already under pressure. This is not a call for more tooling, it is a reminder that governance models need evidence of repeatable behaviour before they can be trusted. Practitioner conclusion: treat preview agent identities as controlled research objects until the operational model is proven.

Named concept: agent identity control boundary. This is the point where registration, claims, and delegated permissions stop being a neat platform feature and start becoming a security boundary that must be explicitly owned. The article’s checkpoints show why that boundary matters: without it, teams cannot distinguish identity creation from identity authority. Practitioner conclusion: define the boundary in policy before you depend on it for production access.

From our research:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why agent identity programmes fail when governance cannot see every machine identity in scope.
  • For a broader control baseline, review Top 10 NHI Issues to see how visibility, rotation, and ownership failures compound across non-human identity programmes.

What this signals

Agent identity programmes will fail if they inherit human IAM assumptions. The operational signal to watch is whether your team can map every agent identity to a named owner, a distinct permission set, and a verifiable offboarding path. If that chain is missing, the programme is already drifting from control into ambiguity.

With 5.7% of organisations reporting full visibility into service accounts, according to the Ultimate Guide to NHIs, the same visibility problem is likely to appear quickly around agent identities unless they are absorbed into the core identity catalogue.

Agent identity control boundary: if this boundary is not explicit in policy, preview features will be treated as production identities before their behaviour is stable. That is where governance debt accumulates fastest, especially when identity, authentication, and authorisation are separated across multiple Microsoft objects.


For practitioners

  • Inventory agent identity objects separately from users and service principals Create a distinct register for blueprint, principal, agent identity, and agent user objects so ownership and scope are traceable across the lifecycle.
  • Validate claims across every authentication flow Test the token claims produced by each flow in a non-production tenant and confirm they reliably identify the agent, the scope, and the intended action.
  • Treat preview behaviours as provisional control points Do not base production approvals on agent identity behaviours, APIs, or UI paths that Microsoft still classifies as preview until they have been tested for persistence and offboarding.
  • Fold agent identities into existing Entra ID governance reviews Include agent identities in access reviews, entitlement checks, and identity operations so they are governed alongside other non-human identities rather than in a separate AI workstream.

Key takeaways

  • Entra ID agent identities need machine-identity governance, not human user assumptions, because their lifecycle and authority do not map cleanly to ordinary IAM patterns.
  • Preview-stage identity features create governance drift when teams rely on behaviour they have not yet verified in their own tenant.
  • Operational control depends on object-level traceability across registration, claims, permissions, and offboarding, not on successful creation alone.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Agent identities and their lifecycle are core non-human identity governance concerns.
NIST Zero Trust (SP 800-207)PR.AC-4Token claims and scoped access align with continuous verification for identity-bound access.
NIST CSF 2.0PR.AC-1Identity governance and access enforcement are central to Entra ID agent control.

Catalog agent identities as NHIs and assign lifecycle ownership before enabling production access.


Key terms

  • Agent identity: An agent identity is the non-human identity used to represent an AI agent or software actor inside an identity system. It carries authentication state, permissions, and lifecycle ownership separately from any human user who may have created or configured it.
  • Agent registry: An agent registry is the control layer where agent identities are created, tracked, and associated with their permissions and relationships. In practice, it is the governance point that helps security teams distinguish the object that exists from the authority it can exercise.
  • Token claims: Token claims are the identity attributes embedded in an authentication token that describe who or what the token represents and what it can do. For agent identities, claims must be precise enough to support reliable authorization, logging, and review.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, machine identity security, IAM, and identity lifecycle. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Semperis: Entra ID agent identities and the attacks that target them. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org