Intent monitoring for Claude Code exposes the NHI visibility gap

TL;DR: Claude Code and similar agentic tools can execute autonomous actions, touch repositories, and call MCP servers with little native auditability, leaving security teams blind to which identities were used or whether secrets were exposed, according to Entro Security. That visibility gap makes NHI governance and intent monitoring a requirement, not a nice-to-have.

At a glance

What this is: This is a product-focused analysis of Claude Code intent monitoring and its core finding that AI agents can act faster than security teams can observe them.

Why it matters: It matters because agentic AI turns developer workflows into NHI governance events, where identity, privilege, and auditability must be managed together.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.
• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.

👉 Read Entro Security's intent monitoring analysis for Claude Code and AI agents

Context

Claude Code monitoring sits at the intersection of agentic AI and NHI governance. The central problem is not whether an AI agent can complete a task, but whether security teams can prove what it touched, which identity it used, and whether its actions stayed inside policy.

Traditional developer observability breaks down when software can choose tools, call external services, and chain actions without a human in the loop. In that model, a prompt becomes an access event and an MCP interaction becomes a governance event.

For most organisations, that starting position is typical. AI agents are being introduced faster than identity controls, audit trails, and policy enforcement are being adapted around them.

Key questions

Q: How should security teams govern AI agents that use developer tools and MCP servers?

A: Treat the agent session as an identity event, not just an application event. Bind each session to a human owner, constrain the non-human identity it can use, scope MCP access to the task, and log prompts, tool calls, and downstream actions together. That gives security teams enough context to investigate misuse and enforce policy in real time.

Q: Why do AI agents create more NHI risk than ordinary developer automation?

A: AI agents can choose actions dynamically, call external services, and chain requests without a human approving each step. That increases the chance of overreach, secret exposure, and ambiguous attribution. Ordinary automation follows predefined paths, but autonomous agents can drift outside expected behaviour while still appearing to complete a legitimate task.

Q: What is the difference between logging agent actions and monitoring agent intent?

A: Logging records what happened, such as a tool call or API request. Intent monitoring tries to infer the purpose behind the sequence of actions, such as refactoring code or mapping a repository. Both matter, but intent alone is not enough. Teams still need policy controls that stop out-of-scope access even when the task looks legitimate.

Q: When should organisations treat AI agent sessions as privileged access?

A: Any time an agent can reach secrets, production systems, or external tools that can change state, the session should be treated as privileged access. The combination of autonomous decision-making and credentialed access creates the same governance burden as other high-risk identities, with stronger needs for scoping, logging, and review.

Technical breakdown

Why agentic CLI visibility is different from standard logging

Agentic command-line tools do not just emit events. They decide which tools to invoke, which repositories to query, and which remote services to contact based on the current session context. Standard logs often capture a command or API call, but they do not reconstruct the prompt, tool chain, and intermediate reasoning that led to the action. That leaves a gap between activity and intent. For NHI governance, the distinction matters because identity usage, privilege use, and data access are no longer separable events. Practical implication: security teams need session-level telemetry that ties prompts, tool calls, and identities into one record.

Practical implication: Use session-level telemetry that ties prompts, tool calls, and identities into one record.

How MCP server interactions expand the attack surface

MCP, or Model Context Protocol, lets AI agents reach tools and data sources through a standard interface. That improves integration, but it also creates a new control point where permissions, context, and content need to be monitored. If an agent can query a server, retrieve data, and then use that data to trigger another action, the security boundary is no longer the endpoint. It is the combination of agent identity, tool scope, and server trust. Practical implication: treat every MCP connection as a governed path with explicit scoping and logging.

Practical implication: Treat every MCP connection as a governed path with explicit scoping and logging.

Why intent classification is useful but not sufficient

Intent classification groups an agent's actions into a higher-level purpose, such as refactoring code, tracing a bug, or mapping a repository. That helps distinguish normal work from anomalous sequences that may indicate secret harvesting or reconnaissance. But intent is an analytic layer, not a control by itself. An agent can appear to be doing a legitimate task while still reaching data or identities it should not touch. Practical implication: pair intent analysis with policy enforcement, identity scoping, and alerting on out-of-policy data access.

Practical implication: Pair intent analysis with policy enforcement, identity scoping, and alerting on out-of-policy data access.

NHI Mgmt Group analysis

Intent monitoring is becoming a core NHI control, not a niche observability add-on. When agentic tools can make their own tool choices, the security question shifts from whether an action happened to whether it was authorised in context. Traditional logging was built for deterministic software behaviour, not autonomous session chaining. Practitioners should treat intent visibility as part of the identity control plane.

Claude Code-style workflows create identity blast radius because one session can span users, tokens, repositories, and external services. A single task may involve a human initiator, a non-human token, one or more MCP servers, and a downstream privileged action. That makes attribution and scoping more important than raw event volume. Practitioners should design controls around session provenance and downstream privilege use.

Ephemeral access does not solve governance if the agent can still cross policy boundaries in real time. Short-lived credentials reduce persistence, but they do not prevent misuse, overreach, or invisible data access during the session. The governance problem is now behavioural as much as credential-based. Practitioners should align least privilege with runtime policy enforcement, not just credential rotation.

Agentic AI is collapsing the old boundary between developer tooling and identity infrastructure. The same workflows that create productivity also create access events, audit requirements, and potential investigation gaps. This is why NHI programmes need to absorb agent telemetry instead of treating it as a separate AI operations concern. Practitioners should fold agent observability into the existing identity and secrets programme.

Runtime governance gap: the missing layer is not more logs, but policy that can interpret and constrain autonomous activity while it is still in motion. The organisations that close this gap first will have a clearer view of who or what acted, with which identity, and for what purpose. Practitioners should build controls that decide in-session, not only after the fact.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 80% of organisations report AI agents have already acted beyond their intended scope, including unauthorised system access, sensitive data sharing, and credential exposure.
• For a broader control framework, see OWASP Top 10 for Agentic Applications 2026 for the identity, tool, and memory risks that sit behind agentic misuse.

What this signals

The next governance inflection point is not whether teams can observe an AI agent, but whether they can constrain it before privilege becomes drift. Identity blast radius: the combined exposure created when a single autonomous session can touch multiple credentials, tools, and data domains in one task. Teams that still separate AI operations from IAM will miss the control point where those risks converge. For programme owners, the priority is to make agent sessions visible inside the same control fabric as human access.

With 33% of organisations already reporting agent access to inappropriate or sensitive data, per AI Agents: The New Attack Surface report, the issue is no longer theoretical. The practical challenge is to decide which sessions require step-up controls, which need tighter scoping, and which should be blocked entirely. That decision logic belongs in identity governance, not in a separate AI exception process.

A strong agent telemetry programme will soon be part of audit readiness for any team deploying coding assistants, workflow agents, or MCP-connected tools. Security leaders should expect questions about attribution, retention, and evidence quality as soon as these tools touch sensitive repositories or production systems. The organisations that build those controls early will spend less time reconstructing what an agent did after an incident.

For practitioners

• Map every agent session to a named human owner Tie each Claude Code or similar session to the initiating user, the non-human identity used, and the downstream systems contacted so that incident response can reconstruct accountability quickly.
• Scope MCP permissions by task, not by tool family Limit which MCP servers, repositories, and data domains an agent can reach for a specific workflow, then review those scopes regularly as tasks and privileges change.
• Alert on identity and data boundary crossings Flag sessions that access secrets, switch identities mid-task, or reach data outside the expected repository or service set, because those are the moments when agent behaviour becomes a governance issue.
• Feed agent telemetry into identity and incident workflows Route prompt history, tool calls, and response context into the same investigation and compliance processes used for privileged access so agent activity is not isolated from the rest of the security stack.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

Key takeaways

• AI agents turn developer workflows into identity-governed sessions, which means visibility and attribution are now core security controls.
• The evidence gap is already measurable, with broad concern about agent risk and limited policy coverage across organisations.
• Teams should enforce task-scoped permissions, session-level logging, and real-time policy checks before agent sprawl outpaces governance.

Key terms

• Agentic Intent Monitoring: A method of observing autonomous AI sessions by combining prompts, tool calls, and response context into one trace. It helps teams infer what an agent was trying to do, not just which API calls it made. In practice, it supports investigation, anomaly detection, and policy enforcement for non-human identities.
• Model Context Protocol: A standard interface that lets AI agents connect to tools and data sources. In security terms, MCP creates a governed path where permissions, context, and logging need to be explicit because the agent can act on information it retrieves. That makes MCP a core control point for agentic AI risk.
• Identity Blast Radius: The total exposure created when one autonomous session can use multiple identities, credentials, and tools across several systems. It is a practical way to describe how quickly agentic behaviour can widen access risk. Managing blast radius means limiting scope, timing, and downstream privilege together.

What's in the full article

Entro's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step setup for the Claude Code marketplace plugin and session logging hooks
• Examples of intent classification output across real development workflows
• Operational guidance for correlating prompts, MCP requests, and identity usage in Entro
• The platform workflow for alerting when an agent accesses secrets or behaves outside expected patterns

👉 The full Entro Security article shows how the plugin captures sessions, MCP activity, and identity context

Deepen your knowledge

AI agent identity governance and session-level visibility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for Claude Code or similar tools, it is worth exploring.