By NHI Mgmt Group Editorial TeamPublished 2026-03-10Domain: AI SecuritySource: Surf Security

TL;DR: Agentic workflow platforms that capture real user actions, turn them into reviewable blueprints, and execute them in sandboxed runtimes shift automation risk from code quality to governance, human approval, and runtime containment, according to Surf Security. The security question is no longer whether the workflow can be automated, but whether the approval, boundary, and audit controls are strong enough to govern it.


At a glance

What this is: This is an analysis of an agentic workflow architecture that records human activity, proposes automation blueprints, and runs approved tasks inside a governed runtime with auditability and human sign-off.

Why it matters: It matters because IAM, PAM, and NHI teams increasingly have to govern automation that behaves like a user, consumes real session context, and can reach production systems with human-derived authority.

👉 Read Surf Security's analysis of secure autonomous agent workflow execution


Context

Agentic workflow infrastructure exposes a governance gap that traditional automation tools often hide. Once a system can capture real user behaviour, turn it into executable steps, and reuse that pattern inside a runtime, the main control problem becomes who approves the workflow, what it is allowed to touch, and how its actions are constrained.

That makes the topic directly relevant to identity governance. The same issues that drive privilege review, session control, and separation of duties for human access now apply to agentic workflows that derive authority from observed human activity. In practice, the boundary between human identity, delegated automation, and non-human execution becomes the control surface.


Key questions

Q: How should security teams govern agentic workflows that are built from real user activity?

A: Security teams should govern them as delegated identities with explicit ownership, approval, scope, and revocation. The captured workflow is not just a script. It is an identity-derived execution path that can reach real systems, so the approval process, runtime boundary, and audit record all need to be controlled together.

Q: Why do human approval steps fail to fully control agentic automation?

A: Human approval fails when it is only a visual checkpoint and not a true privilege decision. If the workflow can still act broadly after approval, the gate does not meaningfully reduce risk. Approval must be tied to the exact outcome, the minimum necessary scope, and a runtime that prevents actions outside that scope.

Q: What breaks when agentic workflows run without sandboxed execution?

A: Without sandboxing, agentic workflows can interact with production systems, leak context, and carry out unauthorized actions with little containment. That turns automation into an opaque operational path rather than a governed control. Security teams lose the ability to limit blast radius, interrupt execution, and investigate failures with confidence.

Q: Who should own the lifecycle of delegated automation in enterprise environments?

A: The business or technical owner of the process should own the lifecycle, with identity and security teams enforcing governance requirements. Ownership must cover creation, approval, review, suspension, and retirement. Without that lifecycle accountability, delegated workflows become orphaned non-human execution paths that persist beyond their intended use.


Technical breakdown

Workflow capture as an identity source

The architecture starts by recording real user sessions across web, SaaS, SSH, and RDP activity. That turns observed behaviour into a data source for automation design, which is different from hand-coded scripts or brittle rule sets. The security value is that the workflow is grounded in actual user actions, but the risk is that the capture layer now contains sensitive operational context, including form inputs, navigation paths, and approval steps. PII sanitisation reduces exposure, but it does not remove the need to govern what is captured, retained, and reused.

Practical implication: treat captured workflows as sensitive identity-derived data and apply strict access, retention, and review controls.

Human-approved planning before live execution

The planning stage is a deliberate control boundary. The AI analyses transcripts, proposes a workflow blueprint, and pauses before live execution so a human can validate or modify the result. That design avoids direct system access during planning, which reduces the chance of uncontrolled actions or hallucinated steps becoming real operations. From an identity perspective, the blueprint is a delegated intent artifact, not yet an authorised runtime action. The governance question is whether approval is meaningful, traceable, and tied to the right level of privilege.

Practical implication: require explicit sign-off for workflow blueprints and align approval authority with the sensitivity of the downstream action.

Sandboxed runtime and audit trail for agentic execution

The execution layer runs approved workflows inside an isolated browser runtime with logs, video, and structured transcripts. That combination creates a reviewable record of what the automation did, which is essential when an agent is acting on behalf of a person or team. Sandbox boundaries are doing the heavy lifting here: they narrow blast radius, block prompt injection attempts, and prevent unauthorized actions from escaping the runtime. For NHI governance, this is the point where delegated execution becomes a managed non-human identity pattern rather than unmanaged automation.

Practical implication: insist on runtime isolation, step-level logging, and human interruption points before any irreversible action.


Threat narrative

Attacker objective: The attacker objective in this pattern would be to abuse captured workflow context or delegated agent execution to reach sensitive systems or trigger unauthorized actions through trusted automation.

  1. Entry occurs when workflow capture collects real human sessions across business applications and remote access channels, creating a high-fidelity source of operational context.
  2. Escalation occurs when AI turns validated behaviour into executable blueprints that can be reused as delegated automation with user-derived authority.
  3. Impact occurs when approved workflows run in production and reach sensitive systems, making auditability, containment, and approval integrity the decisive controls.

NHI Mgmt Group analysis

Human-derived automation is becoming a governance object, not just a productivity feature: when workflows are captured from real users and replayed by software, the control problem shifts to delegation, approval, and revocation. That creates a new class of non-human execution that sits between IAM and automation orchestration. Organisations need to treat these workflows as governed identities with explicit boundaries, not as harmless productivity shortcuts.

Workflow capture creates a new sensitive dataset that security teams must classify: session transcripts, UI context, and approval steps reveal how work is actually done and may expose credentials-adjacent information or business-sensitive process details. The important point is not just privacy, but governance over reuse, retention, and access. The control gap is unclassified operational behaviour becoming a reusable automation asset.

Human approval only matters if the approval is tied to privilege and outcome: a sign-off step is not meaningful unless the approver understands the downstream action and the workflow is constrained to the minimum required scope. Otherwise, the approval becomes ceremonial while the agent retains excessive runtime latitude. Practitioners should evaluate whether approval gates are decision controls or merely UI checkpoints.

Sandboxing is the difference between delegated execution and uncontrolled agent sprawl: isolated runtimes, structured logs, and step-level pauses give security teams the evidence needed to contain agent behaviour and investigate failures. Without those controls, agentic workflows become opaque automation with human camouflage. The field should move toward explicit runtime governance for every workflow that can act on behalf of a person.

Named concept: delegated workflow identity: this is the emerging pattern where an automation system inherits authority from observed human behaviour and then executes under controlled runtime conditions. It matters because the identity is neither fully human nor fully machine-originated, which makes ownership, review, and revocation harder to manage. Practitioners should assign clear custodianship and lifecycle controls to every delegated workflow.

What this signals

Delegated workflow identity is the control pattern this market now has to confront. Once software inherits authority from captured human behaviour, traditional IAM review cycles are too slow and too coarse to govern the resulting execution path. The practical response is to give every delegated workflow a lifecycle owner, approval scope, and revocation path that security teams can actually enforce.

AI agent governance is moving from policy statements to runtime evidence. A programme that cannot show what was captured, who approved it, and how execution was contained will struggle to defend agentic automation in audit or incident review. That is where identity governance intersects with operational resilience, not as theory but as control evidence.

The reader should expect more scrutiny of approval boundaries, sandboxing, and logging rather than more debate about whether automation should exist. The better question is whether each workflow is a governed non-human identity with a clear boundary of authority, or an untracked extension of a human user session.


For practitioners

  • Classify captured workflows as sensitive operational data Limit who can view session transcripts, UI context, and blueprint outputs. Apply retention controls and review access to the same standard you would use for privileged session records or other sensitive identity artefacts.
  • Tie workflow approval to downstream privilege Require the approver to match the sensitivity of the action being automated, and block workflow promotion when the runtime would exceed the approver’s normal authority.
  • Enforce sandboxed execution for all agentic workflows Run approved automation inside isolated environments with structured logs, video records, and explicit pause points before irreversible actions. Validate that containment survives prompt injection and unauthorized action attempts.
  • Define lifecycle ownership for delegated automation Assign a named owner for creation, approval, review, suspension, and retirement of each workflow so agentic execution does not become orphaned automation with no accountable custodian.

Key takeaways

  • Agentic workflow systems change the governance problem by turning human behaviour into reusable execution paths that must be controlled like identities.
  • The evidence is already clear: 80% of organisations report AI agents acting beyond intended scope, which makes approval and runtime containment immediate priorities.
  • Security teams should focus on delegated workflow identity, sandboxed execution, and explicit lifecycle ownership before these systems spread further.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST AI RMF, NIST AI 600-1 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10OWASP Top 10 for Agentic Applications 2026The article centres on agent capture, prompt safety, and runtime control in agentic workflows.
NIST AI RMFGOVERNAI RMF GOVERN applies to accountability and oversight for delegated agent execution.
NIST AI 600-1The article deals with GenAI workflow governance and operational controls.
NIST CSF 2.0PR.AC-4Least-privilege access is central to limiting what workflows can do after approval.
MITRE ATLASTA0006 , Credential Access; TA0008 , Lateral MovementAgentic execution can be abused to reach systems and credentials through trusted workflows.

Map workflow capture, approval, and runtime boundaries to agentic top 10 risks before scaling deployments.


Key terms

  • Delegated Workflow Identity: A delegated workflow identity is an automation path that inherits authority from observed human behaviour and then executes under controlled runtime conditions. It sits between user identity and machine identity, so governance must cover approval, scope, ownership, and revocation across its lifecycle.
  • Workflow Transcript: A workflow transcript is a structured record of user actions, context, and session details captured for automation analysis. In governance terms, it becomes sensitive operational data because it can reveal business processes, approval steps, and access patterns that should not be broadly exposed.
  • Sandboxed Runtime: A sandboxed runtime is an isolated execution environment that constrains what an automation or agent can touch while it runs. It limits blast radius, records activity, and helps prevent unauthorized actions from escaping into production systems.
  • Human-In-The-Loop Approval: Human-in-the-loop approval is a control that pauses automation so a person can validate, modify, or deny the next action. It only provides meaningful risk reduction when the approval is tied to a specific outcome, the appropriate authority, and a bounded runtime scope.

What's in the full article

Surf Security's full article covers the operational detail this post intentionally leaves for the source:

  • The capture-to-execution workflow design, including how transcripts are transformed into automation blueprints.
  • The runtime and audit model used to isolate executions, record outcomes, and support review.
  • The human approval and auto-correction loop that governs workflow promotion and refinement.
  • The platform-specific deployment options for on-prem and cloud execution.

👉 Surf Security's full article covers the workflow capture, planning, and runtime details behind its agentic architecture.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, and machine identity security. It helps practitioners translate delegated access and runtime control into enforceable identity policy.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org