Four primitives identity stacks need before AI agents go live

At a glance

What this is: This is an analysis of the four identity primitives needed to govern AI agents in production: proxying, vaulting, scope minimisation, and revocation.

Why it matters: It matters because agentic workflows change the control point from login sessions to runtime calls, which forces IAM, PAM, and NHI teams to redesign attribution, privilege, and kill-switch logic.

By the numbers:

• 99% of organizations are now prioritizing identity security investments.

👉 Read ConductorOne's analysis of the identity primitives AI agents need in production

Context

AI agent governance is not a single control problem. Once an agent can make repeated tool calls in seconds, the traditional identity model built around a human login session stops describing what is actually happening. The issue is no longer only authentication at the front door, but authorisation, attribution, and revocation at each action boundary.

For IAM, PAM, and NHI programmes, the practical question is how to govern runtime access when the actor is a non-human workload with rapid, chained interactions across systems. That shifts the security design from static roles and periodic reviews toward call-level controls, short-lived credentials, and immediate traceability.

Key questions

Q: How should security teams govern AI agents that call enterprise tools?

A: They should govern agents at the tool boundary, not only at login. That means per-call authentication, authorisation, logging, short-lived credentials, and the ability to stop the workflow immediately if behaviour changes. A usable programme also needs attribution back to the originating human so the organisation can explain who initiated the action.

Q: Why do AI agents complicate traditional identity and access management?

A: AI agents complicate IAM because they do not behave like human sessions. They can make many rapid calls, each with different access needs, which makes static roles and periodic review cycles too slow and too coarse. The control problem becomes runtime enforcement, not just provisioning.

Q: What breaks when agents use long-lived secrets in production?

A: Long-lived secrets create standing trust that outlasts the task. If those secrets appear in files, laptops, or shared automation paths, attackers can reuse them to drive agent activity or move laterally. The result is not just exposure of a credential, but exposure of the workflows that depend on it.

Q: Who is accountable when an AI agent makes an unauthorised production change?

A: Accountability should follow the full delegation chain. The human who initiated the action, the system that issued the credential, and the platform that failed to enforce call-level control all matter. Without attribution and revocation telemetry, teams cannot separate legitimate automation from abuse.

Technical breakdown

Why session-bound identity fails for AI agent tool calls

Human identity systems assume a stable session after login, then rely on front-door authentication and later audit trails. AI agents do not behave that way. They can issue many tool calls in a short burst, each with different privilege needs and different downstream effects. That makes the call boundary the real enforcement point. An identity-aware proxy is the control that authenticates, authorises, and logs each request with full context, so the organisation can answer who triggered a change and what the agent actually touched.

Practical implication: Move enforcement from login-session checks to per-call authorisation and logging at the tool boundary.

How credential vaulting changes NHI security for agents

Agent credentials are still credentials, even when they are issued to software rather than people. The problem with long-lived secrets is not only theft, but persistence. If a service credential sits in a config file, on a laptop, or in a shared pipeline, the trust model already assumes too much. Vaulting changes that by issuing short-lived tokens on demand, binding them to the task, and expiring them quickly. That aligns agent authentication with runtime need instead of static possession.

Practical implication: Issue short-lived, task-scoped credentials so agents never carry durable secrets through production workflows.

What scope minimisation and revocation need to do together

Least privilege for agents is not a role assignment problem. It is a task-bounding problem. The agent should start with no standing access, gain only the minimum permissions needed for the current action, and lose them when the task ends. Revocation must also work at machine speed. If a workflow misbehaves, security teams need to stop the specific agent, the entire spawned chain, and the credential itself in one action. Without that combined design, the access model is too slow for the execution model.

Practical implication: Design privilege to expire with the task and make revocation operate at the agent, chain, and credential level.

Threat narrative

Attacker objective: The attacker wants to hijack agent-driven access so legitimate automation becomes a vehicle for unauthorised data access, production change, or lateral movement.

1. Entry occurs when an attacker reaches an exposed agent credential or a weakly governed tool boundary, then uses that access to start agent-driven actions.
2. Escalation happens when the agent inherits broader permissions than the task requires, letting the attacker drive additional tool calls and expand reach across systems.
3. Impact follows when the attacker uses the agent path to perform unauthorised production writes, data access, or chained actions that are hard to distinguish from legitimate automation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-aware proxying is the first real control plane for AI agents. The article is right to place the proxy at the centre because agent behaviour is governed at the tool-call boundary, not the session boundary. That is a structural shift for IAM and NHI programmes, and it aligns with OWASP Agentic AI Top 10 style thinking about runtime abuse. Practitioners should treat every unproxied agent call as an ungoverned access event.

Static credential assumptions collapse when the actor is an AI agent. Long-lived secrets were designed for access that persists long enough to be reviewed, rotated, and offboarded. That assumption fails when the agent acquires, uses, and discards access as part of a short-lived task sequence. The implication is not just weaker security hygiene, but a broken governance premise: review cadences no longer match the lifetime of the privilege being exercised.

Ephemeral credential trust debt: This is the hidden liability the article surfaces. The more organisations move agent activity into production, the more any durable secret becomes accumulated trust that has not been earned in real time. That debt compounds across service accounts, pipelines, and MCP-connected tools, which is why NHI governance and agent governance are converging rather than separating.

Revocation must become a first-class governance act, not an afterthought. The article correctly frames revocation as a kill switch for the agent, the chain, and the credential. That is a materially different control expectation than human offboarding or password reset logic. Security teams should read this as a warning that machine-speed execution defeats human-speed recovery unless the control plane can interrupt the workflow immediately.

AI agent governance will be judged by auditability, not by intent. The strongest programme signal here is the traceability requirement: every tool call needs attribution back to the originating human and the specific agent path. That is where NHI and human IAM meet, because accountability in delegated execution depends on both the software identity and the human who initiated it. Practitioners should expect auditors to ask for that chain first.

From our research:

• 99% of organizations are now prioritizing identity security investments, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• From our research: For the lifecycle side of the problem, see Ultimate Guide to NHIs and use that baseline to harden agent revocation, scoping, and offboarding.

What this signals

Ephemeral credential trust debt: as more agents move into production, every durable secret becomes a deferred governance decision that eventually surfaces during incident response. Programmes that still rely on periodic review will find that their control timing no longer matches agent execution timing.

Identity teams should expect agent governance to converge with NHI governance rather than sit beside it as a separate discipline. The operational pattern is the same: discover the identity, bind it to scope, limit lifetime, and prove revocation happened. The difference is that agents make failures happen faster.

With NHIs outnumbering human identities by 25x to 50x in modern enterprises, the scaling problem is already here. AI agents add another layer of non-human execution that makes call-level attribution and lifecycle control mandatory, not optional.

For practitioners

• Instrument every tool boundary Place an identity-aware proxy in front of agent tool calls so authentication, authorisation, and logging happen per request, not per session.
• Replace durable secrets with vaulted tokens Move agent credentials out of laptops, config files, and shared pipelines, then issue short-lived tokens that expire with the task.
• Define empty-default scopes for agents Start each agent with no standing access and add only the permissions required for the current action, then revoke them at task completion.
• Build a chain-level revocation path Ensure operators can stop the specific agent, any spawned sub-agents, and the credential in one action when a workflow behaves unexpectedly.
• Map human attribution to machine execution Keep trace IDs that link each agent action back to the originating user so production changes can be investigated without manual forensic reconstruction.

Key takeaways

• AI agents break the traditional assumption that identity can be governed effectively at login time rather than at the action boundary.
• Short-lived credentials, narrow scope, and immediate revocation are the controls that reduce agent blast radius in production.
• The strongest programmes will tie every agent action back to a human initiator and a machine-enforced control path.

Key terms

• Identity-aware proxy: An identity-aware proxy is an enforcement layer that authenticates and authorises each request as it happens. In agent governance, it matters because the tool call, not the login session, becomes the real unit of risk and auditability.
• Credential vaulting: Credential vaulting stores and issues secrets from a controlled system instead of exposing them directly to workloads or users. For agents, it means short-lived tokens are minted on demand, tied to a task, and removed before they can become standing trust.
• Scope minimisation: Scope minimisation is the practice of granting only the access needed for a specific action. In AI agent environments, it means replacing persistent roles with empty-default, task-scoped permissions that cannot outlive the work they were meant to support.
• First-class revocation: First-class revocation is the ability to stop an identity, its chain of delegated actions, and its credentials in one operational move. For agents, this must work at machine speed because waiting for a credential to expire can be too slow to contain harm.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by ConductorOne: Four Things Your Identity Stack Needs Before Agents Hit Production. Read the original.