Identity as a continuum: what NHI governance means for agents

At a glance

What this is: This analysis argues that non-human identity security and agentic AI security share the same underlying credential problem, with identity lineage becoming the key control model.

Why it matters: IAM teams need a shared governance lens for NHI, autonomous agents, and human delegation paths because the same credential layer now carries risk across all three.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Clutch Security's analysis of identity lineage for NHI and agentic AI

Context

Non-human identity security is the discipline of governing service accounts, API keys, OAuth apps, tokens, certificates, and workload identities so they can authenticate without creating permanent exposure. Clutch Security’s central claim is that this same credential layer now underpins agentic AI, which means the old divide between machine identity and emerging agent identity is no longer clean.

That matters because many IAM programmes still treat non-human credentials as inventory items rather than active actors in the delegation chain. Once agents can choose when to call tools and which credentials to use, lineage, ownership, and scope become more important than static provisioning records.

Key questions

Q: How should security teams govern AI agents that use non-human identities?

A: Security teams should govern AI agents through the same identity controls used for other non-human identities, but with added attention to runtime delegation and tool use. The key is to know which agent owns the credential, what systems it can reach, and how quickly access can be revoked when behaviour changes.

Q: Why do just-in-time credentials not fully solve agentic AI risk?

A: Just-in-time credentials reduce standing exposure, but they do not validate the agent’s intent or prevent malicious instruction manipulation. If an attacker can steer the agent after access is granted, the token still authorises harmful actions. That is why runtime trust and delegation scope matter as much as token lifetime.

Q: What breaks when identity governance treats service accounts as static assets?

A: Static treatment breaks ownership, review, and revocation. Service accounts age, drift across systems, and accumulate reach long after the original use case has changed. Once teams stop treating them as living identities with lineage, compromise becomes harder to detect and easier to inherit across workflows.

Q: How do human IAM and NHI governance differ when agents are involved?

A: Human IAM focuses on interactive authentication, assurance, and user experience. NHI governance focuses on delegated access, credential lifecycle, and blast radius. When agents are involved, the two models meet at the delegation chain, so practitioners must govern both the human sponsor and the non-human actor.

Technical breakdown

Identity lineage for non-human identities and agents

Identity lineage is the ability to trace a non-human identity back to its origin, owner, storage location, consuming system, and reachable resources. In practice, that means moving from a flat inventory of secrets and service accounts to a graph of relationships that shows what each identity can touch and how far compromise can travel. For agentic AI, the same model must also capture which agent invoked the credential, through which workflow, and under what delegated authority. Without that context, security teams see credentials but not the trust chain that created them.

Practical implication: build lineage data for every non-human credential before you try to score or govern it.

Why just-in-time credentials do not solve agent risk

Just-in-time access shortens credential lifetime, but it does not answer the harder question of whether the requesting actor should be trusted to act at all. Clutch Security’s argument is that an agent can be manipulated through prompt injection and still carry out harmful actions using a perfectly scoped token. The control failure is not only duration, but intent. A short-lived credential can reduce exposure, yet it does not stop an agent from using valid access to execute a malicious sequence of tool calls.

Practical implication: treat JIT as a containment control, not as a complete trust model for agents.

The continuum between secrets, workload identity, and agent access

The post frames secrets, workload identities, and agent credentials as layers of the same authentication problem. Secrets are the stored material, workload identity is the runtime trust relationship, and agent access adds runtime decision-making on top. That progression matters because the security issue is no longer just where a secret lives, but how dynamically it can be consumed, combined, and reused across systems. A programme that separates those layers will miss the chain of custody from person to tool to identity to resource.

Practical implication: unify secret, workload, and agent governance in one control plane rather than managing them as separate problems.

Threat narrative

Attacker objective: The attacker aims to convert legitimate delegated access into harmful execution while hiding inside valid identity and token boundaries.

1. Entry occurs when a legitimate agent inherits access through an OAuth token, service account, or access key that was provisioned for delegated work.
2. Escalation occurs when the agent is manipulated, for example through prompt injection, and uses that valid access to call tools or reach data outside the original human intent.
3. Impact follows when the credential is used to execute harmful actions with fully authorised privileges, creating damage that appears legitimate at the authentication layer.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity lineage is the control model that current NHI inventories have been missing. Flat lists of keys and service accounts do not explain who created an identity, what it can reach, or how far compromise can move. Clutch Security is right to centre lineage because governance without relationship context is only partial visibility. Practitioners should treat lineage as the baseline for any credible NHI programme.

Ephemeral credential trust debt is the named failure mode that JIT does not remove. JIT provisioning shortens exposure windows, but it still assumes the requesting actor is trustworthy enough to receive scoped access in the first place. That assumption holds for many human workflows, but it weakens when agents can be manipulated mid-session. The implication is that trust has shifted from time-based expiry to runtime intent, which many IAM models do not measure.

Agents and NHIs are the same problem at different layers only if governance recognises delegation as the common unit. Service accounts, OAuth apps, and AI agents all authenticate through non-human credentials, but agents add action selection on top of authentication. That means old control ideas built around static ownership and scheduled review no longer fully describe the risk. Practitioners should reframe governance around delegated authority, not just credential storage.

Access review assumptions break when the identity can act before review cycles begin. Traditional review processes assume access persists long enough to be observed, challenged, and certified. An agent can acquire a token, use it, and complete its task before any review event occurs. The control premise itself is therefore incomplete. Security teams need to recognise that this is not just more NHI sprawl, but a shift in how identity decisions are made and consumed.

Identity blast radius is now a shared metric across human, machine, and agent workflows. The same credential layer can connect a person to a pipeline token, a workload identity, and then an agent action path. Once those links are visible, the real governance question becomes how far a compromised identity can travel across that chain. Practitioners should prioritise controls that reduce reach, not just controls that reduce credential age.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That governance gap is why the 52 NHI Breaches Analysis remains the right next read for teams mapping failure patterns to controls.

What this signals

Identity lineage will become the organising principle for NHI and agent governance. As agents consume the same credential layer as service accounts and OAuth apps, programmes that cannot trace ownership and reach will struggle to separate normal delegation from exposure. That is a governance problem, not just a tooling gap, and it will show up first in blast-radius reviews and offboarding.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs, the next control frontier is not inventory alone. Teams will need to align secret location, runtime identity, and agent behaviour in a single operating model.

The market is moving toward identity context as the differentiator, because isolated credential controls do not explain how an agent or workload actually reaches production resources. 52 NHI Breaches Analysis is useful here because it shows how access paths, not labels, determine breach outcomes.

For practitioners

• Map identity lineage for every non-human credential Trace each service account, API key, OAuth app, and agent token back to its owner, origin, storage location, and reachable systems. Use the resulting graph to rank risk by blast radius, not by raw count of credentials.
• Separate trust from expiry in your control design Use short-lived credentials where appropriate, but do not treat expiration as proof of trust. Add runtime checks for delegated authority, tool scope, and session context so the actor is evaluated at the moment of use.
• Review agent deployment paths outside security approval flows Find where developers can introduce agents, tokens, or workload identities without explicit security ownership. Require an accountable owner and a revocation path before the credential can be used in production.
• Consolidate secret, workload, and agent governance Build one operating model for secrets, workload identities, and agent credentials so lineage, ownership, and access scope are reviewed together. Separate tooling often hides the chain of custody that attackers exploit.

Key takeaways

• Identity programmes that treat non-human credentials as static objects will miss how agents now inherit and use them dynamically.
• The evidence remains clear: NHI compromise is already a dominant identity-breach pattern, which makes agent governance an extension of existing exposure, not a separate problem.
• Practitioners should shift from credential counting to lineage, delegated authority, and blast-radius control before agent adoption widens the gap further.

Key terms

• Identity Lineage: Identity lineage is the traceable chain that connects a non-human identity to its origin, owner, storage location, consumers, and reachable systems. For IAM teams, it turns a credential from a standalone item into a governed relationship that can be prioritised, reviewed, and revoked with context.
• Delegated Authority: Delegated authority is the permission a non-human actor receives through a human or system sponsor to act on its behalf. In agentic environments, it matters because the sponsor may understand the task, but not every action the actor can choose at runtime.
• Identity Blast Radius: Identity blast radius is the maximum operational and data impact a compromised identity can create across connected systems. For non-human identities and agents, the measure depends less on credential age and more on lineage, scope, and how many downstream systems trust the same identity.

Deepen your knowledge

Identity lineage and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for service accounts, secrets, and agents from the same starting point, it is worth exploring.

This post draws on content published by Clutch Security: From NHI Security to the Identity Platform for Everything That Isn't a Person. Read the original.