Ghost agents expose a runtime governance gap in AI identity

At a glance

What this is: This analysis explains why AI agents can survive employee offboarding and continue acting with valid credentials, creating orphaned runtime access.

Why it matters: It matters because IAM, PAM, and lifecycle processes that manage human accounts do not automatically govern agent-owned credentials or runtime decisions.

👉 Read 1Kosmos's analysis of ghost agents and AI offboarding risk

Context

A ghost agent is an AI agent that keeps running after its human creator has left, because the agent authenticates with its own credentials rather than the employee’s account. That means standard offboarding can close the human identity while the machine identity remains active, which breaks the basic ownership model many IAM programmes still rely on.

The governance gap is not just inventory blindness. It is the gap between knowing an agent exists and being able to stop it, review it, or prove who is accountable for its actions after the owner departs. For teams building NHI controls, this is a lifecycle and runtime authorisation problem, not a simple deprovisioning task.

Key questions

Q: What breaks when an AI agent outlives the employee who created it?

A: The break point is accountability. The employee’s account can be deactivated while the agent’s own credentials remain valid, so the workflow keeps running with no current owner to approve, review, or stop it. That creates orphaned access, hidden runtime authority, and a gap between identity lifecycle controls and actual system behaviour.

Q: Why do ghost agents complicate offboarding and recertification?

A: They complicate both because standard lifecycle processes are built around people, not autonomous workflows with separate credentials. Offboarding removes the employee, but recertification often never lists the agent at all. As a result, the organisation closes the human identity while the machine identity continues to act.

Q: How can security teams tell whether an AI agent is still governed properly?

A: Look for a current named owner, a visible inventory entry, documented credentials, and a revocation path tied to employment status or sponsorship changes. If the agent can keep acting after the owner leaves, governance is incomplete. Runtime activity, not just directory records, is the deciding signal.

Q: Who is accountable when a ghost agent makes a bad purchase or change?

A: Accountability should rest with the current business owner and the control process that allowed the agent to remain active after the human creator left. If there is no current owner, the organisation has a governance failure, not just a technical one. That is why agent lifecycle controls must be explicit and auditable.

Technical breakdown

Why offboarding fails when the agent has its own credentials

Traditional offboarding revokes the employee’s account, badge, email, and device access. It does not necessarily touch an AI agent that authenticates independently with an API key, OAuth token, or service account password. In this model, the agent is not a session attached to the person. It is a separate identity with its own authentication path, its own stored secrets, and its own permission set. That is why the agent can continue to act even after the creator is removed from the directory.

Practical implication: Map every agent to its own credentials and treat agent offboarding as a separate control path from employee offboarding.

Why access reviews miss orphaned AI agents

Access reviews are built to certify the access of named people or well-managed shared accounts. Ghost agents often sit outside that review surface because the manager attests to the employee’s access, not to the autonomous workflows the employee created. Once the person leaves, the review cadence has already passed and the agent remains active until someone discovers it through behaviour, cost, or incident response. The technical flaw is that governance is checking ownership records, while the real risk lives in runtime permissions.

Practical implication: Expand recertification to include agent inventories, agent owners, and runtime entitlements, not just human user access lists.

How credential persistence turns departure into ongoing exposure

Ghost agents become dangerous because valid credentials keep working after the creator leaves. If those secrets are stored in configuration files, secrets managers, or embedded scripts, rotation may refresh them without recognising that the identity behind them is now orphaned. That preserves access rather than removing it. The result is a machine identity that can continue to purchase, provision, message, or modify systems long after accountability has ended.

Practical implication: Tie secret rotation to ownership status and decommission agent credentials when the human owner is no longer active.

Threat narrative

Attacker objective: The attacker or failure state is to exploit a still-valid autonomous workflow so actions continue without oversight, accountability, or prompt containment.

1. Entry occurs when an employee creates an AI agent and grants it its own valid credentials for procurement, infrastructure, or customer workflows.
2. Credential access persists after offboarding because the agent continues authenticating independently through API keys, OAuth tokens, or service account passwords.
3. Impact follows when the orphaned agent keeps spending, provisioning, or communicating without any living owner able to review or stop its actions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Ghost agent governance exposes a runtime ownership gap, not just an inventory gap. The core failure is that many identity programmes can tell you who created an agent but cannot stop the agent once its owner leaves. That leaves a separate machine identity active after the human identity has been closed. Practitioners need to treat agent existence and agent execution as different control planes.

Lifecycle controls built for humans do not close down autonomous runtime access. Access reviews, manager attestation, and standard offboarding were designed around human accounts with clear end states. Ghost agents keep functioning because the real access is tied to credentials that survive the employment relationship. The implication is that lifecycle governance must extend to the identities the human created, not only the human identity itself.

Credential persistence is the specific failure mode this pattern reveals. The credentials are valid, the workflow still runs, and the system sees a legitimate request even though the business owner is gone. That is why the problem is better described as orphaned NHI persistence than as simple misconfiguration. The practitioner conclusion is that ownership, credential validity, and runtime authority must be broken apart in governance.

Agentic behaviour changes the governance question from revocation to continuity control. Once an AI agent can act after its creator leaves, the question is no longer whether the account was disabled. It is whether the organisation has a control that invalidates the agent’s ability to continue independently. That shifts the discipline from directory hygiene to runtime trust boundaries across NHI and agentic AI.

Offboarding without agent decommissioning creates an identity afterlife. The organisation may believe the employee is gone, yet the agent continues to transact, reply, or provision as if nothing changed. That is a structural failure in accountability, because there is no current human who can attest to the agent’s decisions. Practitioners should read this as a governance design flaw, not an edge case.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• From our research: 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• That pattern makes the NHI Lifecycle Management Guide the right next step for teams building revocation, offboarding, and ownership controls.

What this signals

Ghost agent persistence is a lifecycle design problem, not an isolated incident class. If an organisation cannot prove that an AI agent stops when its human sponsor leaves, then the programme has a control blind spot between identity lifecycle and runtime authority. Teams should reassess whether their ownership model can survive delegation to systems that continue acting after the user record disappears, and pair that review with the NHI Lifecycle Management Guide.

Ephemeral credential trust debt: the longer a credential can survive owner departure, the more residual authority accumulates outside governance. That is why short-lived access matters, but only when the organisation can also identify which credentials belong to which agent and who is accountable for them. For teams aligning to external guidance, the NIST AI Risk Management Framework is useful for framing governance ownership, while OWASP Top 10 for Agentic Applications 2026 helps structure agent misuse and tool abuse risk.

The practical signal is simple: if your agent inventory cannot be reconciled against active employee sponsorship, you do not have governance, you have discovery. Organisations that already see NHI sprawl should treat ghost agents as the next expression of the same problem, with the added complication that the workflow itself can continue to make decisions after the owner is gone.

For practitioners

• Build a separate agent offboarding path Create a decommissioning workflow for AI agents that is independent of employee offboarding and includes credential revocation, owner validation, and service-side disablement for every agent instance.
• Bind every agent to a current accountable owner Require each agent to have one living owner in the identity system, with automated alerts when the owner leaves, changes role, or loses eligibility to sponsor the workflow.
• Inventory agent-owned credentials and stored secrets Scan configuration files, secrets managers, code repositories, and workflow platforms for agent credentials, then classify them by owner, scope, and expiry so orphaned access can be removed.
• Extend access reviews to runtime entitlements Add agent entitlements to recertification so reviewers can see which systems the agent can call, what it can spend or modify, and whether that access is still justified.
• Use short-lived credentials for agent execution Replace persistent secrets with time-bound credentials that can be invalidated when the owner’s status changes, reducing the window in which a ghost agent can continue to act.

Key takeaways

• Ghost agents show that offboarding a person does not automatically end the authority of the AI systems they created.
• The scale of the problem is already large enough that dormant agent credentials and orphaned workflows can create real financial, security, and compliance exposure.
• Teams need separate lifecycle controls for agents, because runtime revocation and accountable ownership are what stop the identity afterlife.

Key terms

• Ghost Agent: An AI agent that continues operating after the employee who created it has left or lost sponsorship. The agent keeps its own credentials, so human offboarding does not automatically stop its runtime actions. In governance terms, it is an orphaned machine identity with unresolved accountability.
• Runtime Authorization: The control decision that allows or blocks an identity’s action at the moment it tries to execute. For AI agents, this matters more than static ownership records because the agent may keep acting after the human owner is gone. It is the difference between being listed and being allowed to do something now.
• Orphaned NHI: A non-human identity that still has valid access but no current accountable owner. It may be a service account, token, API key, or AI agent credential that survived a lifecycle change. Orphaned NHIs are dangerous because no current person can reliably attest to their use or revoke them quickly.
• Identity Afterlife: The period in which a digital identity continues to act after the human or business relationship that justified it has ended. In AI agent governance, this describes the gap between employee departure and the actual shutdown of the agent’s access, permissions, and operational authority.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Ghost agents and runtime identity governance for AI agents. Read the original.