Identity management is not ready for autonomous AI agents

At a glance

What this is: Delinea argues that identity management controls built for humans and conventional machine accounts do not adequately govern autonomous AI agents.

Why it matters: This matters because IAM, PAM, and IGA teams now have to govern identities that can act independently, change scope mid-session, and create accountability gaps across human, NHI, and autonomous programmes.

By the numbers:

• 85% of organizations have begun implementing AI, and those that have deployed report a 35% increase in productivity on average.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Delinea's analysis of identity management for an AI-based workforce

Context

AI agent governance is the problem of assigning, controlling, and reviewing identities that can make independent decisions at runtime. The article argues that current identity management still assumes a human user or a predictable machine account, which breaks once an agent can act on its own or through delegated authority.

That creates a direct governance gap for IAM, IGA, and PAM programmes. Teams now need to decide how to register agents, tie them to business owners, distinguish them from the human user they assist, and keep their permissions auditable without treating them like ordinary service accounts.

Key questions

Q: How should security teams govern AI agents that use their own credentials?

A: Security teams should treat AI agents with their own credentials as managed non-human identities. That means assigning a unique identity, naming a business owner, setting task-scoped access, and tying the agent into lifecycle, recertification, and offboarding processes. Without those controls, the agent becomes a persistent account with unclear accountability.

Q: Why do autonomous AI agents complicate access review processes?

A: Autonomous agents complicate access review because they can act and change scope faster than periodic certification cycles can observe. If access is granted, used, and retired within a single task, the review process may never see a stable entitlement state to approve or revoke. That makes periodic review necessary but insufficient.

Q: What breaks when AI assistants borrow human sessions or tokens?

A: What breaks is attribution. When an assistant operates inside a human session, activity may be legitimate but still hard to separate from the employee’s own actions. That creates audit ambiguity, weakens accountability, and can let sensitive actions disappear inside ordinary user behaviour unless session monitoring and approval rules are explicit.

Q: Who is accountable when an AI agent acts outside intended scope?

A: Accountability should rest with the business owner and the governance process that approved the agent’s access, not with the model itself. If the organisation cannot identify the sponsor, the entitlement baseline, and the session trail, then accountability is already broken before the incident occurs.

Technical breakdown

Delegated tokens versus autonomous credentials

Delinea splits agentic AI into two identity patterns. One uses delegated user tokens, which means the agent acts inside a human identity boundary and inherits that user’s governance context. The other uses its own machine credentials, which makes the agent a separate subject with its own permissions, audit trail, and lifecycle. Those two models create different control problems. Delegated access raises attribution and approval issues. Independent credentials raise lifecycle, least privilege, and recertification issues because the agent is no longer just a tool inside a user session.

Practical implication: classify every AI agent by its credential model before deciding which IAM, PAM, and IGA controls apply.

Agent onboarding needs lifecycle governance, not model training

The article treats autonomous agents as identities that must be discovered, registered, sponsored, and later offboarded. That is a lifecycle problem, not an AI model problem. Onboarding has to establish a unique identity, a business owner, and an entitlement baseline, then feed the agent into access review and recertification processes. In other words, the control plane is the IAM stack, not the model prompt. The article also notes that abandoned agent accounts can persist if no one ties termination events to discovery and offboarding workflows.

Practical implication: extend joiner-mover-leaver processes to AI agent identities and ensure discovery triggers offboarding.

Machine-speed access requires just-in-time credentials and runtime monitoring

Delinea frames agent authorization around short-lived credentials, vault checkout, and continuous monitoring because agent behaviour is faster and less predictable than conventional service-account use. The key technical issue is that static secrets widen the breach window, while agent decisions can change the scope of activity during a single task. Real-time least privilege therefore depends on comparing granted access with actual use, then monitoring sessions for suspicious actions that require human intervention. This is closer to privileged task execution than to traditional app authentication.

Practical implication: replace standing access for AI agents with short-lived credentials, vault controls, and monitored sessions.

Threat narrative

Attacker objective: The attacker seeks to hijack or misuse AI agent identity to reach data, credentials, and systems while hiding inside legitimate access paths.

1. Entry occurs when an AI agent is granted delegated user tokens or its own machine credentials, creating a usable identity boundary for access to enterprise systems.
2. Escalation happens when that identity is trusted to operate at machine speed and is allowed to access resources beyond a single predictable task, especially when permissions are not continuously compared with actual use.
3. Impact follows when the agent exposes credentials, reaches sensitive data, or performs unauthorized actions that are hard to attribute back to a human operator in time to contain them.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Autonomous AI agents collapse the assumption that access is stable long enough to be reviewed. Access review and recertification were designed for identities whose privileges persist across a governance cycle. That assumption fails when an agent can acquire, use, and retire access inside one task or one session. The implication is not simply faster review, but a different governance model for actors whose state is too short-lived for periodic certification to capture.

Identity management for AI agents is really lifecycle governance for a new class of non-human identity. The article is right to frame onboarding, ownership, and offboarding as the core problem because an autonomous agent without a named sponsor is an unmanaged identity, not an innovation. OWASP-NHI and NIST-CSF are the right baseline lens here, because the issue is account control, privilege scope, and accountability rather than model quality. Practitioners should treat agent lifecycle as an IGA responsibility from day one.

Delegated AI assistants create attribution risk even when they do not become fully autonomous. A user-initiated agent that borrows a session or token can still blur who approved an action, who benefits from the action, and who must answer for it later. That makes the identity boundary more important than the model boundary. The governance task is to preserve human accountability while preventing assistants from becoming invisible extensions of privileged user sessions.

Short-lived credentials are a governance signal, not just a security hardening choice. The article’s emphasis on vault checkout, rotation, and session monitoring shows that static access no longer matches the operating model of machine-speed assistants. For NHIs and AI agents alike, standing privilege is the wrong default because it assumes predictable use. The implication for practitioners is to rebuild privilege assignment around task scope, not account permanence.

Named concept: identity blast radius. Once AI agents can act with their own credentials, a single identity can touch more systems, data, and workflows than a human operator could reasonably monitor. That expands the practical blast radius of one compromised or mis-governed agent, especially when discovery and audit coverage are incomplete. Security teams should measure agent entitlement scope as a first-class risk metric, not as a side effect of automation.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That governance gap is widening as AI adoption accelerates, so practitioners should pair identity controls with OWASP NHI Top 10 guidance on agentic application risk.

What this signals

Identity blast radius: teams should now measure how far an AI agent can move across applications, datasets, and privileged workflows before governance evidence disappears. When 80% of organisations already see agents acting beyond intended scope, the problem is no longer theoretical, and lifecycle controls need to be built around task scope, not account permanence.

The next programme question is not whether AI agents will be used, but whether IAM, IGA, and PAM can keep ownership, approval, and audit trails intact when the actor is software. A practical baseline is to align agent governance with the NIST AI Risk Management Framework and the OWASP Top 10 for Agentic Applications 2026, then test whether every agent has a sponsor, a scope, and a revocation path.

For most enterprises, the near-term signal is discovery quality. If you cannot continuously identify where agents exist, which credentials they use, and which sessions they touched, you do not have governance, only partial visibility. The stronger operating model is to treat AI assistants as identities that must be reviewed, monitored, and offboarded like any other privileged actor.

For practitioners

• Classify each AI agent by credential model Separate delegated-token assistants from agents using their own machine credentials, then map each class to different approval, audit, and ownership rules. The same control set should not be applied to both.
• Extend joiner-mover-leaver processes to agents Register every autonomous agent with a business owner, assign a unique identity, and tie termination to discovery so abandoned agent accounts are removed promptly.
• Replace standing access with task-scoped credentials Use short-lived credentials, vault checkout, and automatic rotation on check-in so agent access expires with the task rather than persisting as a reusable secret.
• Continuously compare granted and used privileges Baseline what the agent can access, then monitor what it actually uses so least privilege can be enforced in real time and recertification can focus on exceptions.
• Create a human accountability chain for assistant activity Tie AI assistant sessions back to the employee who initiated them and require review for sensitive actions that would otherwise disappear inside a shared workflow.

Key takeaways

• AI agents expose a governance gap because IAM controls built for humans and predictable service accounts do not fit actors that make independent runtime decisions.
• Survey data cited in the article shows widespread scope drift and poor audit visibility, which turns agent governance into an immediate control issue rather than a future concern.
• The practical response is to manage AI agents as identities with ownership, task-scoped access, and lifecycle controls, not as model features hidden inside existing user workflows.

Key terms

• Autonomous AI Agent: A software identity that can decide what to do, choose tools, and act without waiting for a human approval step. In identity governance, it must be managed as a distinct actor with ownership, entitlement boundaries, and revocation paths, not as a feature hidden inside another user account.
• Delegated Token: A credential that lets an AI assistant operate on behalf of a human user inside that user’s identity context. It simplifies access, but it also makes attribution harder because the assistant’s actions can appear to be the person’s own actions unless session controls and auditing are explicit.
• Task-scoped Access: Access granted for one bounded activity rather than as a persistent entitlement. For AI agents and other NHIs, task-scoped access reduces standing privilege and limits the blast radius of misuse, especially when the actor can act at machine speed or change behaviour mid-session.
• Identity Blast Radius: The amount of damage a single identity can cause if it is misused, compromised, or over-entitled. For autonomous or delegated AI agents, blast radius is shaped by how far the identity can reach across systems, how quickly it can act, and how much audit evidence survives the session.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Delinea: Are identity management solutions ready for a digital AI-based workforce? Read the original.