By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Upstream SecurityPublished July 2, 2026

TL;DR: Runtime AI and API security now has to track live behaviour across endpoints, consumers, and MCP servers because shadow routes, endpoint scope creep, and weak authentication can expose sensitive data even when systems look documented, according to Upstream Security. Static gateway enforcement is no longer enough when perimeter assumptions trail runtime change.


At a glance

What this is: This analysis argues that the modern perimeter must be defined by live runtime behaviour, not by static network boundaries, because active endpoints can become high-risk as their data and consumers change.

Why it matters: It matters because IAM, NHI, and platform teams need controls that recognise when documented endpoints, machine-to-machine integrations, and agent-facing routes have outgrown their original trust model.

👉 Read Upstream Security's analysis of hidden endpoint blast radius in AI and API security


Context

A modern API endpoint can look harmless while quietly becoming a high-value access path as its data, authentication model, and consumer set change over time. That is the central perimeter problem here: traditional network boundaries and static gateway rules do not keep pace with runtime drift across APIs, MCP servers, and agent-connected services.

For identity programmes, the issue is not just endpoint exposure but who or what is allowed to call it, under what conditions, and whether that access still matches the current business purpose. The article’s core point is that security teams need continuous behavioural visibility across assets, consumers, and machine-to-machine flows, because the trust boundary now moves as fast as the environment does.


Key questions

Q: What breaks when endpoint controls rely on static gateways instead of runtime behaviour?

A: Static gateway controls fail when the endpoint’s purpose changes after deployment. They can permit a request that is syntactically valid while missing the fact that the consumer, data sensitivity, or business function no longer matches the original trust model. That leaves documented routes, legacy APIs, and internal portals free to drift into high-risk exposure.

Q: Why do internal and legacy APIs become high-risk over time?

A: They become high-risk when they keep accepting traffic after their original assumptions have expired. An internal portal can become externally reachable, and a legacy API can continue handling sensitive data without stronger authentication or review. The risk is not age alone, but ungoverned change in what the endpoint can now expose.

Q: What do security teams get wrong about shadow data?

A: Many teams treat shadow data as a discovery problem when it is also a governance problem. If data is created, duplicated or copied outside normal ownership and classification paths, it cannot be reliably protected or reviewed. The practical response is to treat unclassified data as a signal of control failure.

Q: How should teams govern endpoints that sit inside machine-to-machine flows?

A: Teams should govern them as access-bearing assets, not as passive infrastructure. If an MCP server or backend route can trigger actions, receive sensitive telemetry, or expose administrative functions, it needs runtime classification, ownership, and review. That keeps machine-to-machine access tied to purpose instead of permanent trust.


Technical breakdown

Runtime behavioural baselining for APIs and MCP servers

Traditional API security assumes that an endpoint’s risk can be understood from its route, schema, or gateway policy alone. Runtime baselining changes that model by correlating live traffic with the identity of the consumer, the data being touched, and the business function the endpoint now serves. That is especially important where MCP servers and autonomous workflows introduce new machine-to-machine paths that may not be represented accurately in documentation. The technical shift is from static allowlists to continuous context reconstruction, so the system can detect when a valid route has become a sensitive one.

Practical implication: build continuous discovery and behavioural profiling around active endpoints, not just around published API inventories.

Why shadow and legacy endpoints evade standard controls

Shadow APIs, legacy versions, and internal portals often evade detection because they still look operational, even after their security assumptions have changed. A deprecated route kept alive for compatibility may still accept requests, and an internal tool exposed to the internet may still behave like a private service until someone tests it directly. Static ACLs and traditional gateways tend to miss these cases when the path is unknown, the documentation is stale, or the endpoint sits outside normal enforcement points. The problem is not only exposure, but control drift between design-time intent and runtime reality.

Practical implication: treat undocumented or compatibility endpoints as governance exceptions until they are revalidated in production traffic.

How runtime AI narrows the hidden blast radius

The article’s runtime AI model is essentially an always-on discovery and classification layer. It identifies hidden APIs, unexpected authentication gaps, and unusual data flows by observing live behaviour rather than trusting design documents. That matters because many breaches do not begin with a dramatic perimeter failure. They begin when a low-risk endpoint quietly starts handling sensitive information or administrative actions. Once classified, the endpoint can be compared against expected authentication requirements and data sensitivity, allowing anomalies to surface before they turn into broad exposure.

Practical implication: prioritise controls that classify endpoint sensitivity in motion, so governance follows behaviour instead of stale inventory.


Threat narrative

Attacker objective: The objective is to turn a seemingly harmless endpoint into a direct path for data extraction and operational abuse without needing to break core infrastructure.

  1. Entry occurs through a weakly authenticated or unauthenticated endpoint that was assumed to be low risk because it sat outside the main perimeter.
  2. Escalation happens when the attacker reaches a backend route, bypasses client-side checks, or accesses an alternate path that standard gateway policy does not govern.
  3. Impact follows when the exposed route allows direct extraction of sensitive records, supplier data, or administrative information at scale.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Runtime perimeter drift is now an identity problem, not just an API problem: The article shows that endpoints become risky when their consumer set, data sensitivity, and authentication expectations evolve faster than governance. That is an identity issue because authorisation now depends on live operational context, not a fixed perimeter. Teams that still treat APIs as static assets are governing yesterday’s trust model, not today’s runtime reality.

Hidden blast radius is a better operating concept than shadow API sprawl: The useful lens here is not simply how many undocumented endpoints exist, but how far a single overlooked route can extend into data, administration, and machine-to-machine operations. That blast radius grows when runtime behaviour is not continuously mapped to identity, purpose, and data sensitivity. Practitioners should use this concept to prioritise control coverage by exposure potential, not by asset label.

Static gateway enforcement fails when the security question becomes contextual: The article is right that a request can be syntactically valid and still be operationally wrong. Traditional ACLs and route-based checks answer whether a call is permitted in general, but they do not answer whether this consumer, at this moment, should touch this data. That is why runtime context becomes the governance layer that decides whether an endpoint remains within its intended trust boundary.

Machine-to-machine expansion is collapsing the old separation between infrastructure and access governance: MCP servers, agent-connected workflows, and internal tools all increase the number of places where identity and data movement intersect. Once that happens, endpoint security can no longer be separated from IAM, because the endpoint itself becomes part of the access decision. Security teams need to stop treating API protection as a network specialism and start governing it as identity-bearing runtime access.

Endpoint scope creep should be treated as a lifecycle failure mode: An endpoint that starts life as internal, temporary, or low sensitivity can become a persistent exposure point when its purpose changes but its controls do not. That is the same lifecycle problem seen in other identity domains: access outlives context. Practitioners should therefore review endpoints as governed entities with lifecycles, not as one-time deployments.

From our research:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • 48% of companies say they cannot track and audit the data their AI agents access, leaving a complete blind spot for compliance and breach investigation.
  • That visibility gap matters because runtime governance fails fastest when access is expanding faster than review cycles, as discussed in OWASP NHI Top 10.

What this signals

Endpoint scope creep: the next governance failure will not be a missing API inventory, but an inventory that is technically accurate and operationally stale. Teams need to assume that any route with changing consumers, data sensitivity, or authentication assumptions can become an access problem before it becomes a security ticket.

With 92% of technology professionals saying AI agents are a security threat and only 44% having implemented policies to govern them, per AI Agents: The New Attack Surface report, runtime visibility is becoming a baseline control rather than an optimisation.

The practical signal for readers is that API governance, NHI governance, and agent governance are converging around the same runtime questions: who is calling, what data is moving, and whether the current behaviour still matches the approved purpose.


For practitioners

  • Map live endpoint consumers continuously Correlate each active endpoint with the users, services, agents, and tools currently calling it so that behavioural changes are visible before the endpoint’s purpose drifts. Use runtime observation rather than documentation alone.
  • Classify endpoint sensitivity in motion Reassess whether an endpoint is low, medium, or high risk based on the data it now handles and the actions it can perform, then escalate review when the classification changes.
  • Retire compatibility routes aggressively Remove legacy versions, test utilities, and internal portals once their business purpose ends, and require explicit revalidation before they remain reachable in production traffic.
  • Bind machine-to-machine access to runtime context Require access decisions for MCP servers and similar back-end routes to reflect the current consumer, expected data type, and business purpose rather than a fixed allowlist.
  • Treat undocumented endpoints as governance exceptions Open a review workflow whenever a route appears in live traffic but is absent from inventory, and do not close it until ownership, authentication, and data handling are confirmed.

Key takeaways

  • Endpoints become dangerous when their runtime behaviour outgrows their original trust boundary, not when they first appear in inventory.
  • The evidence in this article points to a governance gap where static controls miss active routes that have silently become sensitive.
  • Teams need continuous discovery, sensitivity classification, and ownership for live endpoints if they want to control the hidden blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Runtime endpoint drift creates unmanaged access paths and exposure.
NIST CSF 2.0PR.AC-1Identity and access control need to follow live service behaviour.
NIST Zero Trust (SP 800-207)The article challenges static perimeter assumptions in dynamic environments.
MITRE ATT&CKTA0007 , Discovery; TA0009 , CollectionShadow endpoints enable discovery and data collection without obvious perimeter breach.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is central when endpoints change sensitivity.

Classify live endpoints, owner, and consumers against NHI-03 and review any route that changes behaviour.


Key terms

  • Runtime Behaviour Baseline: The expected pattern of activity for an identity while it is operating in production. It goes beyond entitlement lists by comparing actual actions, timing, and access paths, which is critical when valid credentials can still be abused.
  • Endpoint Scope Creep: Endpoint scope creep is the gradual expansion of what a route can reach, receive, or expose after deployment. A service that began as low risk can become high risk when its data, business role, or downstream access changes without updated governance or monitoring.
  • Blast Radius: The potential scope of damage if a specific credential or identity is compromised. Identities with broad permissions have a larger blast radius and represent a higher priority for least-privilege enforcement and security controls.
  • Runtime Discovery: The process by which an AI agent asks a server what capabilities exist before using them. Unlike static documentation, runtime discovery creates a moving target for security review because new tools can appear without code changes on the client side.

What's in the full article

Upstream Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • The article’s endpoint-by-endpoint breakdown of where shadow routes, backend tools, and customer portals slip past perimeter assumptions.
  • The runtime AI and digital twin explanation for how live traffic can surface hidden APIs and unexpected authentication gaps.
  • The detailed research example showing how client-side bypasses and exposed backend APIs lead to large-scale data extraction.
  • The broader AI and API security framing that connects machine-to-machine integrations, MCP servers, and live behavioural monitoring.

👉 Upstream Security's full post covers the runtime discovery model, endpoint drift examples, and hidden exposure paths in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org