Hybrid identity governance is breaking under local AI agents

At a glance

What this is: This is an analysis of Moltbot, a local AI agent that operates under a human identity and continues working when the user is offline.

Why it matters: It matters because IAM, PAM, and NHI programmes need to separate human intent from machine execution before autonomy erodes accountability and access control.

👉 Read Silverfort's analysis of Moltbot and hybrid identity risk

Context

A hybrid identity is an identity pattern where a human sets intent but a machine continues execution using real permissions and tools. In the Moltbot example, the critical issue is not just automation, but that the agent can act under the user’s identity after the user has stopped actively working. That breaks the assumptions behind identity review, supervision, and attribution in modern identity programmes.

For IAM and NHI teams, the problem is no longer limited to service accounts or scripted workloads. A local AI agent can inherit a legitimate user context, communicate through approved channels, and execute decisions without a live human in the loop. That creates a control problem across human identity, non-human identity, and agentic behaviour at the same time.

Key questions

Q: How should organisations govern AI agents that act under a human identity?

A: Treat the human account and the agent executor as separate governance subjects. Define where intent starts, where execution continues, and which controls apply after the person is offline. Without that separation, certifications, logging, and incident response will all misattribute machine actions to a human user.

Q: Why do local AI agents complicate identity and access management?

A: They can retain legitimate permissions while changing timing, prioritisation, and action sequence outside human presence. That means the visible identity may remain stable even as the operational behaviour becomes autonomous. IAM teams then lose the simple link between user session, authorisation, and accountability.

Q: What breaks when collaboration apps become agent command channels?

A: Visibility breaks first, because approved messaging tools can look like normal work while carrying execution instructions. Monitoring and DLP controls often inspect content superficially, but agent control requires understanding the instruction path, not just the message text. Organisations need policy boundaries around those channels.

Q: Who is accountable when an AI agent acts after the user is offline?

A: Accountability should follow the governance model for delegated execution, not just the named human owner. If the organisation allows an agent to continue acting on a person’s behalf, it must define who approves the delegation, who can revoke it, and who reviews the resulting actions.

Technical breakdown

How local AI agents create hybrid identity risk

Moltbot combines cloud-based reasoning with local execution, which means the decision-making can happen remotely while the action happens on an endpoint using the user’s active permissions. That separation matters because the identity visible to the organisation may still be a normal human account, even though the behaviour is now machine-driven. The result is a hybrid identity: the human supplies initial intent, but the agent owns subsequent execution. Security tooling built around session ownership, manual approval, and user presence will miss that shift when it occurs outside the browser or central control plane.

Practical implication: Treat the user account and the agent executor as distinct governance subjects, even when they share the same credentials.

Why encrypted messaging channels become a control plane

The article describes the agent using legitimate encrypted apps such as WhatsApp, Telegram, or Slack to receive instructions and coordinate activity. That matters because these channels are trusted for business use yet opaque to many monitoring and DLP controls, so they can function as an invisible command layer. In that model, prompts are not just messages, they are execution inputs. Once a command channel is accepted as normal collaboration traffic, the organisation loses the ability to distinguish routine communication from agent control signals.

Practical implication: Inventory which approved collaboration channels can also serve as hidden agent command paths and apply tighter inspection or policy boundaries there.

How local memory and token storage widen the blast radius

A local agent that stores memory, tokens, or contextual state can retain sensitive data beyond the moment the human is present. That increases risk because the artefacts available to the agent may include credentials, workflow history, and privileged context that can be reused later without fresh human approval. In practice, the control gap is not just secret exposure. It is persistent execution context paired with legitimate access, which gives the agent enough continuity to operate like a trusted user long after the original task should have ended.

Practical implication: Segment agent memory, token handling, and local execution paths so that retained context cannot silently extend privilege across tasks.

Threat narrative

Attacker objective: The objective is to gain durable, trusted execution under a legitimate identity so actions blend into normal work and evade scrutiny.

1. Entry occurs when the agent is given legitimate identity context and access to normal collaboration channels, making it look like ordinary user activity.
2. Escalation occurs when the agent inherits stored memory, tokens, or configuration that let it continue acting without a live human session.
3. Impact occurs when the agent writes code, opens pull requests, sends messages, and makes decisions under a human identity that the organisation cannot easily separate from machine execution.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human identity and autonomous execution are now colliding in the same control plane. Moltbot is not just another automation layer. It demonstrates that a human account can become the wrapper for machine-paced execution while the organisation still sees a normal user. That breaks the way many identity programmes separate user presence from action, and it forces IAM teams to treat execution context as an identity problem, not only an application problem. The practitioner conclusion is that attribution and authorisation can no longer be assumed to move together.

Access review cadences were designed for stable privilege, not for agents that continue after the operator is gone. This assumption fails when the actor can keep acting, re-prioritising, and timing actions independently of the person who initiated it. The implication is not simply that reviews need to be faster. It is that the review model itself does not fit a system where the visible identity and the operating intelligence are no longer the same thing. Practitioners should rethink what is actually being certified.

Hybrid identity is the named concept this article exposes: a human identity carrying machine logic across time and channels. That matters because it collapses traditional boundaries between human IAM, NHI governance, and agentic AI oversight. When the same account can represent a person in one moment and an autonomous executor in the next, least privilege becomes harder to define at provisioning time. The practitioner conclusion is that identity governance must start distinguishing who initiated intent from what is now executing it.

Encrypted collaboration channels have become an unaudited command surface for local agents. The article shows that trusted messaging apps can function as a control plane that normal monitoring tools do not inspect deeply. That means the problem is not only access scope, but also visibility into the instruction path that turns a benign conversation into action. The practitioner conclusion is that channel trust and identity trust must be governed together.

Endpoint identity and cloud reasoning together create a governance gap that old bot models do not capture. A classic bot is centrally managed and easier to monitor. Moltbot behaves more like a local employee with remote intelligence, which makes legacy bot governance too narrow for the risk. The practitioner conclusion is that agentic behaviour needs its own operating model, even when it lives inside an apparently ordinary user environment.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
• For a broader view of the control model behind that gap, see Ultimate Guide to NHIs for lifecycle, visibility, and Zero Trust governance patterns.

What this signals

Hybrid identity governance is about to become a board-level IAM design problem, not a niche AI experiment. As local agents continue acting under human credentials, programme owners will need to decide where delegation ends and identity ownership begins. The practical shift is toward controls that evaluate behaviour, not just account status, especially where human, NHI, and agentic execution now overlap.

According to the 2024 Non-Human Identity Security Report, 88.5% of organisations say their non-human IAM practices lag human IAM or sit only on par with it. That gap becomes more exposed when a local AI agent can inherit human identity context and keep working after the operator is offline. The governance lesson is that legacy IAM maturity is not enough once execution becomes detached from presence.

Hybrid identity will force teams to rethink certification, logging, and offboarding together. If a human can seed an agent and the agent can continue independently, then offboarding is no longer just user termination and certification is no longer a periodic review. Practitioners should align this topic with the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 where autonomous behaviour is in scope.

For practitioners

• Separate human intent from agent execution Map where a person initiates work and where an AI agent continues it under the same identity. Require explicit governance for the execution layer, not just the account that triggered it.
• Inspect approved messaging channels as control paths Review Slack, Telegram, WhatsApp, and similar tools as potential agent command channels, then restrict what instructions or tokens can move through them. Where possible, tie those channels to policy controls and audit evidence.
• Limit persistent local context and token reuse Reduce the amount of memory, credentials, and workflow state an agent can retain on an endpoint. Reissue or invalidate context when the task boundary changes, even if the user account stays the same.
• Redesign review workflows for detached execution Change access review and certification processes so they evaluate whether an identity can still act after the operator is offline. Focus on behaviour, not just entitlement lists, when certifying agents that inherit human access.

Key takeaways

• Moltbot shows how a human identity can become a machine-executed control surface when the operator is offline.
• The real governance gap is not bot novelty but the mismatch between human IAM assumptions and autonomous execution patterns.
• Identity teams should separate intent, execution, and accountability before hybrid identities become normal in production workflows.

Key terms

• Hybrid Identity: An identity pattern where a human initiates work but a machine continues execution using the same access context. The risk is that accountability, timing, and action selection can diverge from the person whose account is visible to the organisation.
• Agent Command Channel: A communication path that carries instructions into an AI agent and can therefore shape execution. In practice, trusted collaboration tools may become control planes when security monitoring cannot distinguish ordinary messages from operational prompts.
• Detached Execution: A state in which an AI system continues to act after the human operator is no longer actively present. This creates a governance gap because the identity appears stable while the operational behaviour persists independently across time.
• Execution Context: The permissions, memory, tokens, and state that allow an identity to perform work. For autonomous or semi-autonomous agents, execution context can outlive the original task and expand the practical blast radius of a legitimate account.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort: Moltbot and the rise of hybrid identities. Read the original.