Google’s agent vision exposes a 50:1 NHI security problem

At a glance

What this is: Google’s agent vision points to a rapid expansion in non-human identities, with the key finding that every useful agent still depends on credentials, permissions, and governance that most enterprises cannot yet track cleanly.

Why it matters: IAM, NHI, autonomous, and human identity programmes all converge here because agent adoption increases identity sprawl, widens trust boundaries, and exposes ownership gaps that current access models were not built to absorb.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

👉 Read Clutch Security's analysis of Google's AI agent trends and the 50:1 identity gap

Context

Google’s agentic vision is not the problem by itself. The governance gap appears when each AI agent needs its own credentials, entitlements, and ownership trail, while most enterprises still struggle to keep non-human identity inventories accurate across cloud, SaaS, and development environments. In practice, the primary keyword here is agentic AI governance, because the question is not whether agents can work, but whether their access can be governed at runtime and at scale.

The report’s A2A and MCP framing matters because both expand the number of trust boundaries that identity teams must account for. As agents communicate across organisational and system boundaries, the security model shifts from single application access to delegated machine-to-machine authorisation, where secrets, tokens, and service accounts become the real control plane. That is already difficult for NHI programmes; it becomes harder when the actor can orchestrate multiple downstream tools in a single workflow.

Key questions

Q: How should security teams govern AI agents that depend on multiple credentials?

A: Security teams should treat each agent as a governed non-human identity with its own lifecycle, owner, and scope. The practical test is whether the agent can act only within the business task it was assigned, with credentials that are limited, monitored, and revoked when the task ends. Broad, reusable access turns agent productivity into identity sprawl.

Q: Why do AI agents increase non-human identity risk so quickly?

A: AI agents increase risk because they do not replace existing credentials, they consume more of them while expanding the number of systems a single workflow can touch. That creates more places for secrets to be stored, more opportunities for overpermissioning, and more paths for unaudited access. The result is faster NHI growth without matching governance maturity.

Q: What breaks when agent access is not tied to ownership and lifecycle?

A: When ownership is unclear, access reviews cannot confirm who approved the credential, who is accountable for its use, or when it should be removed. That creates persistent access even after the workflow changes or the sponsoring employee moves on. In practice, the control failure is not just overprovisioning, but orphaned machine access.

Q: How should organisations respond when agents start chaining tools across systems?

A: They should assume the trust boundary has expanded and require auditability at every step of the chain. That means logging credential use, downstream API calls, and data access so the organisation can reconstruct behaviour after the fact. Without that, an agent workflow becomes difficult to contain, investigate, or certify.

Technical breakdown

Model Context Protocol and agent-to-agent trust boundaries

Model Context Protocol, or MCP, standardises how AI systems connect to tools, data sources, and internal services. That convenience creates a security problem: the agent is no longer a conversational interface only, but a runtime identity requesting authenticated access to production assets. In that model, the real control point is not the prompt, it is the credential, the scope attached to that credential, and the downstream system that accepts it. A2A expands the issue further by allowing one agent to depend on another, which multiplies delegation paths and complicates accountability when access is misused.

Practical implication: map every MCP and A2A connection to a named owner, an explicit scope, and a revocation path before broad rollout.

Why agent growth turns NHI sprawl into governance debt

Most organisations already have a fragmented NHI estate made up of API keys, OAuth tokens, service accounts, and certificates. Agentic workflows do not replace that estate, they sit on top of it and consume more of it. Every specialised agent needs at least one credential, and many will need several to complete a multi-step task across systems. That means the problem is not just volume. It is untracked ownership, inconsistent expiration, and access that outlives the business need it was created for. Once that happens, the identity inventory becomes a liability rather than a control.

Practical implication: treat each agent as a new NHI lifecycle object and tie it to provisioning, review, rotation, and decommissioning.

Agent visibility is the control that makes scale governable

Agentic systems are useful only when they can act across systems, but that same breadth makes them hard to audit after the fact. If teams cannot see which credentials an agent used, what data it touched, and which downstream actions it triggered, they lose both compliance evidence and breach reconstruction ability. This is why the governance conversation cannot stop at authentication. Visibility into identity usage, entitlement drift, and anomalous execution is the difference between controlled scale and uncontrolled sprawl. Security teams need an identity model for machines that is closer to continuous governance than to one-time provisioning.

Practical implication: enforce auditability at the credential layer, not just the application layer, so each agent action is traceable end to end.

Threat narrative

Attacker objective: The objective is to exploit agent-driven access paths to reach sensitive systems and data through legitimate credentials that security teams did not scope tightly enough.

1. Entry occurs when a legitimate agent credential is issued for a workflow that now spans multiple systems and data sources.
2. Escalation happens when that credential is reused beyond the original task scope, or when the agent chains into additional tools without fresh governance checks.
3. Impact follows when the expanded access path exposes sensitive data, alters production workflows, or creates unauditable downstream actions across the enterprise.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Google’s agent vision confirms that agentic AI is really an NHI governance problem at enterprise scale. The report is framed around productivity, but every workflow it describes depends on identities, credentials, and permissions that must be provisioned, owned, and retired. That shifts the centre of gravity from application design to identity governance, because the operational question is who or what is authorised to act at each step. Practitioners should read the report as a demand signal for stronger NHI lifecycle control, not as a proof that agents are ready for broad trust.

The 50:1 ratio is a useful warning, but the more important signal is that agents accelerate an existing identity debt. Enterprises already struggle with fragmented secrets management, weak ownership, and delayed secret remediation. Agent adoption multiplies the number of credentials in play and shortens the window in which weak governance remains visible. The practitioner conclusion is simple: if the NHI estate is already opaque, agentic expansion will not just add volume, it will amplify existing blind spots.

Identity blast radius becomes the named concept practitioners should use here. The issue is not merely how many agents exist, but how far any one credential can reach once an agent begins chaining tools, systems, and workflows. A small permission mistake can fan out across several services because the agent can execute across boundaries faster than review cycles can intervene. Security teams should therefore treat every new agent as a potential blast-radius multiplier, not as a single endpoint identity.

Access review processes were designed for identities that persist long enough to be observed, certified, and recertified. That assumption holds for many human and machine identities, but it weakens when organisations deploy agents that can be created, delegated, and retired in workflow-like bursts. The implication is not simply to add another review step. It is to rethink whether periodic governance alone can keep pace with identities that are assembled for short-lived operational tasks.

Google’s report signals that the market is moving toward agent orchestration, but the governance market is still organised around static entitlements. That mismatch will push identity teams to re-evaluate where ownership lives, how credentials are bound to use cases, and which systems can actually prove what an agent did. Practitioners should expect procurement pressure to rise before control maturity does, which makes policy design and visibility the deciding factors.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For broader context on where this is heading, see Ultimate Guide to NHIs , 2025 Outlook and Predictions for the identity and governance pressures that scale with agent adoption.

What this signals

With 98% of companies planning to deploy even more AI agents within the next 12 months, governance programmes will be judged on whether they can absorb growth without losing ownership, scope, or auditability. That makes lifecycle control, not enthusiasm, the real readiness metric.

Identity blast radius: the practical challenge is how far a single agent credential can reach before containment fails. If your programme cannot show where access begins, how it is delegated, and where it ends, the next wave of agent adoption will outpace your control model.

The forward signal is that security teams will need to connect NHI governance with AI policy, because agent access decisions now determine both operational speed and investigation quality. The organisations that win will be the ones that can prove which identity acted, what it touched, and why that access still existed.

For practitioners

• Inventory every agent-related identity now Build a live register of API keys, OAuth tokens, service accounts, and certificates used by agent workflows. Include owner, purpose, business system, rotation schedule, and decommission trigger so the inventory can support both access review and incident response.
• Bind each agent to least-privilege scopes Separate the credentials used for planning, retrieval, execution, and reporting so one agent cannot reuse broad access across the full workflow. Review whether any credential can reach production systems, customer data, or internal APIs without a clearly justified business need.
• Monitor delegated access across A2A and MCP paths Track where agent-to-agent communication and Model Context Protocol connections expand the trust boundary. Log credential use, downstream tool calls, and cross-system actions so you can reconstruct which identity initiated each step and where scope expanded.
• Tie agent lifecycle to human ownership Assign a named business owner and a technical owner to every production agent. Require offboarding when the use case ends, the workflow changes, or the employee who sponsored it leaves, so credentials do not persist beyond their justified purpose.
• Set review triggers for workflow change, not just time Trigger recertification when an agent’s task graph changes, when it touches a new data domain, or when a downstream tool is added. Periodic reviews alone will miss the moment when a narrow workflow becomes a broad delegation chain.

Key takeaways

• Agentic AI is widening the non-human identity problem, not replacing it, because every useful agent still depends on credentials, scopes, and lifecycle control.
• The scale signal is already visible: enterprises are planning more agents even as governance, auditability, and ownership remain incomplete.
• Practitioners should respond by treating agents as governed identities with explicit owners, limited access, and traceable activity across every connected system.

Key terms

• Agentic Ai Governance: Agentic AI governance is the discipline of controlling AI systems that can plan and act across tools without constant human prompting. It extends identity governance into runtime decisions, requiring ownership, scope, auditability, and revocation for the credentials the agent consumes.
• Non-Human Identity: A non-human identity is any credentialed digital entity that acts on behalf of software, infrastructure, or an automated workflow. In practice, that includes API keys, service accounts, tokens, certificates, and AI agents, all of which need ownership, lifecycle control, and traceable access boundaries.
• Identity Blast Radius: Identity blast radius is the amount of damage a single credential or entitlement can cause once it is misused or overextended. For agents, the blast radius grows when one identity can chain through multiple tools, data sources, and systems before governance catches up.
• Model Context Protocol: Model Context Protocol is a standard way for AI systems to connect with tools, data sources, and services. It matters to identity teams because it turns the agent into a runtime actor that consumes credentials and expands the number of trust boundaries that must be governed.

Deepen your knowledge

Agent lifecycle governance and NHI visibility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic workflows from the same identity foundations, it is worth exploring.

This post draws on content published by Clutch Security: Google's Agent Vision Has a 50:1 Problem. Read the original.