Intent-based security for AI agents: why identity now breaks

At a glance

What this is: This is an analysis of why AI agent security needs an intent-based model, with identity and lifecycle governance as the control layer.

Why it matters: It matters because IAM teams must govern autonomous software that can change behaviour at runtime, not just authenticate a static workload.

👉 Read Token Security's analysis of intent-based AI agent security

Context

AI agent security is becoming an identity problem, not just an application problem. As agents move from generating text to taking action, the controls designed for human users and deterministic software stop matching how access is actually used. That gap is now central to NHI governance because agents operate as non-human identities with tool access, runtime decisions, and changing objectives.

The core issue is not that agents are malicious by default. It is that their permissions, intent, and lifecycle often drift apart faster than security teams can review them. When access is broad, copied, or left in place after a project changes, the organization loses the ability to explain what an agent is allowed to do and why. That is not a tooling nuisance; it is a governance failure.

For practitioners, the starting point is typical rather than exceptional: most enterprises are retrofitting human-centric IAM patterns onto agentic systems. That approach can work for narrow pilots, but it fails once agents begin chaining actions across infrastructure, data, and operational workflows.

Key questions

Q: How should security teams govern AI agents that can take real actions?

A: Security teams should govern AI agents as non-human identities with explicit ownership, scoped privileges, and lifecycle review. The control model should tie access to the agent's intended purpose, then monitor runtime behaviour for actions that fall outside that purpose. That approach reduces blast radius when autonomy expands faster than human oversight.

Q: What is the difference between static IAM and intent-based security for agents?

A: Static IAM asks what an identity can access, while intent-based security asks what the identity is supposed to achieve. For AI agents, that difference matters because valid credentials do not guarantee safe behaviour. Intent adds context that makes policy decisions more precise when agents chain actions across systems.

Q: Why do AI agents create more governance risk than traditional service accounts?

A: AI agents create more governance risk because they can adapt their actions at runtime, accumulate privileges over time, and interact across many systems in a single workflow. Traditional service accounts usually execute narrow, predictable tasks. Agents can drift beyond their original scope unless ownership, policy, and review are continuous.

Q: Should organisations prioritise least privilege or lifecycle governance first for AI agents?

A: Organisations should do both, but least privilege should be applied together with lifecycle governance from the start. Least privilege limits immediate blast radius, while lifecycle controls prevent copied, repurposed, or abandoned agents from keeping access after the original need has changed. One without the other leaves material exposure.

Technical breakdown

Why AI agents break static IAM assumptions

Traditional IAM assumes a mostly stable relationship between identity, permission, and action. AI agents disrupt that assumption because they are goal-driven systems that plan, adapt, and choose different steps based on context. Two agents with the same permissions can take different paths to the same objective, and one agent can shift from harmless analysis to privileged action in the middle of a task. That makes static roles a weak proxy for real risk, especially when a task spans logging, ticketing, infrastructure, and data access.

Practical implication: review whether your access model can distinguish between allowed capability and allowed objective.

Intent-based authorization for agentic AI

Intent-based security adds a layer above raw entitlement. Instead of authorizing only what an identity can reach, it evaluates whether the action supports the declared purpose of the agent. That matters because reading logs, calling APIs, or changing a configuration can be legitimate in one workflow and dangerous in another. In practice, intent becomes the context that lets policy engines flag out-of-scope behavior even when the underlying credential is valid. This is especially relevant for agentic AI because autonomy creates legitimate variation in execution paths.

Practical implication: define purpose-bound policies before agents are allowed to act in production.

Lifecycle governance for AI agent identities

AI agents are easy to create, clone, and forget, which is why lifecycle governance matters as much as initial authorization. An agent may begin as a small automation experiment, then inherit broader access as it becomes useful and eventually operationally critical. If ownership, review, rotation, and retirement are not tracked, the organization accumulates dormant but valid access paths. For NHI programs, that means agents should be treated as first-class identities with an explicit owner, a documented purpose, and an expiry or review cadence.

Practical implication: put every agent on an ownership and review schedule, not just a deployment checklist.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Intent-based control is the right framing for agentic AI, but it only works when identity is treated as the enforcement point. AI agents are not just another workload class because they can branch, improvise, and chain actions across systems. That makes static permission sets too blunt and prompt filters too shallow. The practical conclusion is that identity policy must carry the context of purpose, scope, and runtime constraint.

AI agent sprawl creates a new form of trust debt: access is granted for experimentation and then silently retained for operations. That pattern is familiar in NHI programs, but agentic systems accelerate it because agents are easy to copy and embed into workflows. Once that happens, security teams inherit permissions they did not design and cannot easily justify. The field needs lifecycle governance that assumes agents will outlive their original use case.

Discover, understand, enforce is a workable operating model, but each step must be continuous rather than periodic. Discovery without ownership review does not reduce risk, and enforcement without intent context simply generates noise. Mature NHI governance will increasingly depend on linking identity inventory to purpose, privilege, and runtime telemetry. Practitioners should treat that linkage as a control objective, not a reporting feature.

Agentic AI is pushing IAM beyond authentication into behavioural authorization. The category shift is not about replacing identity controls, but about extending them to account for adaptive systems. That will complicate existing governance approaches at first because many teams still separate access review, workload identity, and policy enforcement. The better model is to converge them around the agent's purpose and blast radius.

Named concept: intent trust boundary. This is the point where an agent's declared purpose, accessible systems, and runtime behaviour are evaluated together. It is useful because many security teams are still looking only at credentials or roles. The stronger control objective is to define where the agent's legitimate intent ends and where abnormal action begins, then enforce accordingly.

From our research:

• 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.
• 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to GitGuardian.
• As a forward lens, review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for ownership, rotation, and retirement controls that reduce agentic access drift.

What this signals

Intent trust boundary: agentic AI will force programmes to connect identity inventory, purpose statements, and runtime telemetry into a single control loop. With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the gap is already visible in production governance.

The near-term programme question is not whether AI agents will appear in the environment, but whether teams can prove what each one was meant to do after it has been cloned, repurposed, or handed off. That is where NHI inventory, access review, and incident response start to converge.

Practitioners should expect agentic AI to pull workload identity, PAM, and policy enforcement closer together. The organisations that separate those functions will struggle to keep pace with access drift, while those that link them around declared intent will have a clearer path to governance.

For practitioners

• Inventory every active AI agent and its identities Map each agent to the service accounts, API keys, tokens, and cloud roles it uses. Record the owner, business purpose, and production dependencies so you can identify orphaned access and duplicated agents before they accumulate.
• Define purpose-bound policy for each agent Write authorization rules around the specific tasks an agent may perform, not just the systems it may reach. Start with the most sensitive workflows, such as infrastructure changes, customer data access, and incident response automation.
• Add lifecycle review to the agent change process Require review when an agent is cloned, retrained, repurposed, or promoted into production. Tie review to access recertification so permissions cannot drift beyond the original intent without an owner approving the change.
• Instrument runtime checks for out-of-intent behaviour Alert when an agent begins taking actions that do not match its declared objective, such as configuration changes from a reporting workflow or data export from a triage task. Use these signals to trigger step-up review or temporary suspension.

Key takeaways

• AI agents break the assumption that permissions alone can define safe access, because their behaviour changes with context and objective.
• The risk is already structural: autonomous systems create access drift, ownership gaps, and overbroad credentials faster than periodic IAM review can catch them.
• Teams should govern agents as first-class non-human identities, combining least privilege, intent-based policy, and lifecycle review.

Key terms

• Intent-based security: Intent-based security governs access by combining what an AI agent can do with what it is supposed to achieve. The model uses purpose, context, and runtime behaviour to decide whether an action remains within bounds. It is especially useful when agents adapt their plans during execution.
• Non-human identity: A non-human identity is any credentialed entity that acts on systems without a person directly operating it, including service accounts, tokens, certificates, bots, workloads, and AI agents. These identities need ownership, scope, and lifecycle controls because they can persist long after the original use case changes.
• Intent trust boundary: An intent trust boundary is the point at which an AI agent's declared purpose stops matching the actions it is performing. It helps teams separate legitimate autonomy from risky drift by evaluating purpose, permissions, and behaviour together. The concept is useful for policy enforcement and incident triage.
• Lifecycle governance: Lifecycle governance is the discipline of tracking an identity from creation through review, change, and retirement. For AI agents, it means knowing who owns the agent, why it exists, what it can access, and when that access should be reduced or removed. Without it, valid access becomes stale risk.

What's in the full article

Token Security's full blog post covers the operational detail this post intentionally leaves for the source:

• How the platform maps agent intent to least-privilege enforcement across identities and workflows
• Examples of runtime behavior checks used to detect when an agent moves beyond its declared objective
• The Discover, Understand, and Enforce operating model as described by the vendor, including lifecycle governance framing
• The platform's own category view of where AI agent security fits alongside IAM and NHI management

👉 The full Token Security post covers intent, identity, and lifecycle governance in more operational detail.

Deepen your knowledge

Intent-based controls for AI agents are a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for autonomous systems from the ground up, it is worth exploring.