Know Your Agent makes runtime identity the control plane for AI

At a glance

What this is: This is an analysis of Know Your Agent, an identity framework that validates AI agent identity, authority, and scope at execution time.

Why it matters: It matters because IAM, PAM, and NHI programmes built around static credentials and scheduled reviews do not fully govern agents that decide and act at runtime.

👉 Read 1Kosmos's analysis of Know Your Agent and runtime AI identity controls

Context

Know Your Agent is a runtime identity model for autonomous AI agents, not a one-time registration check. The governance problem is that traditional identity controls assume access is fixed long enough to be reviewed, but agentic systems decide what to do only after they receive a prompt and begin execution.

That breaks the usual NHI and IAM split between identity proof, permission assignment, and later audit. For security teams, the real issue is whether an agent can be tied to a verified owner, constrained to a current scope, and stopped before a consequential action reaches a target system.

The article frames KYA as an execution-plane control for agent behaviour, which is where conventional service-account thinking starts to fail. NHIMG has analysed the broader agentic risk pattern in the OWASP NHI Top 10 and related agent security guidance.

Key questions

Q: How should security teams govern AI agents that can make runtime decisions?

A: Security teams should govern AI agents at the moment of execution, not only at registration. That means validating agent identity, checking the requested scope, and pausing high-risk actions for human approval before the tool is reached. The key design choice is to treat agent behaviour as dynamic authority, not as static machine access.

Q: Why do autonomous agents break traditional NHI controls?

A: Autonomous agents break traditional NHI controls because they do not follow a fixed script. They can choose tools, parameters, and timing at runtime, so a permission model built for deterministic service accounts no longer matches the real action path. Static credentials may still authenticate the agent, but they do not govern what it decides to do next.

Q: What is the main failure mode when AI agent credentials are too broad?

A: The main failure mode is scope drift, where the agent discovers or inherits authority beyond the task it was meant to perform. Once a broad credential exists, the agent can use that access to act outside its intended purpose, including destructive or data-sensitive operations. Broad credentials turn a narrow task into an enterprise-wide exposure.

Q: Who should be accountable when an AI agent takes an unauthorised action?

A: Accountability should sit with the human owner who authorised the agent and the controls that allowed the action to proceed. If the organisation cannot identify who issued the credential, what scope was granted, and whether approval was required, then the governance model is too weak for agentic operations. Accountability must be built into the identity chain.

Technical breakdown

Runtime authentication for AI agents

Runtime authentication means the system re-validates an agent at the moment it tries to do something consequential, rather than trusting a credential issued earlier. In KYA, that validation sits in front of tool execution so the request is checked before it reaches the target system. This matters because AI agents are non-deterministic: they can select tools, parameterise actions, and change execution paths based on prompt context. A registration-only model cannot distinguish a benign action from a risky one once the agent starts reasoning at runtime.

Practical implication: move sensitive agent actions behind a real execution gate, not just an onboarding workflow.

Verifiable credentials and scoped agent authority

Verifiable credentials replace static, open-ended machine secrets with cryptographically signed, time-bound tokens that carry issuer identity, agent binding, permitted scope, and environmental context. That design limits the usefulness of a leaked token because the credential is supposed to expire automatically and only authorise a narrow action set. The cryptographic audit trail also links activity back to the human who approved it. For agent governance, that is the difference between generic machine access and attributable, moment-specific authority.

Practical implication: treat static API keys for agents as a liability unless they are replaced with scoped, expiring credentials.

Human approval at the execution plane

KYA uses step-up human approval for high-risk actions, with policy thresholds determining when an agent can act automatically and when it must stop for review. The important architectural point is that the approval decision is decoupled from the agent’s execution path, so the human owner can approve or deny before the tool is reached. That creates a control boundary around money movement, infrastructure changes, and sensitive data access. It also preserves accountability by keeping the human authorizer in the chain for consequential actions.

Practical implication: define high-risk agent actions explicitly and route them through approval before any downstream system call.

NHI Mgmt Group analysis

Know Your Agent is an execution-plane response to a broken IAM assumption. Traditional identity governance was designed for access that is granted, then reviewed later. That assumption fails when the actor is autonomous because the agent decides which tool to use and when to use it only at runtime. The implication is that registration-time identity checks no longer describe the actual risk surface.

Static machine identity is too coarse for agentic behaviour. Service accounts and API keys assume the caller follows a known script, but autonomous agents can search for tools, choose parameters, and shift scope mid-session. That creates a governance gap between issued permission and actual action. The practitioner conclusion is that machine identity controls must now account for decision-making, not just authentication.

Cryptographic auditability becomes the control that makes agent accountability possible. If an agent can act at machine speed across many systems, the post-incident question is not simply whether it had access but who authorised the specific action and under what scope. KYA’s value is that it preserves a trace from human authoriser to agent execution. For the field, that elevates audit evidence from a reporting artifact to a core identity control.

Agent governance is converging with broader identity lifecycle discipline. The ghost-agent problem described in the article is the same lifecycle failure identity teams already know from orphaned accounts, but the consequences are sharper because autonomous agents can keep acting without a stable human operator in view. That is where NHI governance, PAM oversight, and offboarding discipline meet agentic AI. Practitioners should read this as a lifecycle problem with autonomous execution attached.

OWASP NHI Top 10 remains relevant because agentic systems inherit NHI weaknesses and amplify them. The article’s runtime scope checks, credential binding, and approval gates all map to the same control family that governs non-human identity exposure. The difference is that autonomous behaviour turns old NHI weaknesses into faster-moving execution risk. The practitioner conclusion is to extend NHI governance into agent runtime, not to treat agents as a separate security silo.

From our research:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control lens, read OWASP NHI Top 10 for the main agentic failure patterns practitioners are now mapping.

What this signals

Runtime approval will become the dividing line between governed and merely observed agents. Teams that can already tie agent actions to current scope and owner approval will be able to absorb faster adoption with less ambiguity. The rest will keep discovering that logs are not the same thing as control, especially when agents act at machine speed.

The governance question is moving from whether agents exist to whether their authority can be revoked, narrowed, or paused before execution completes. That is a lifecycle problem as much as an access problem, which is why agent programmes need IAM, PAM, and NHI ownership in the same operating model.

The strongest programmes will define a named control concept around agent runtime, not just “AI policy.” If you can explain which actions require review, which credentials expire automatically, and which owner is accountable, you already have the structure for runtime identity control.

For practitioners

• Map which agent actions require runtime approval Classify agent operations by consequence, not by workload type. Put sensitive data access, destructive changes, spend authority, and infrastructure modification behind an execution gate that can stop the action before the tool call is made.
• Replace persistent agent secrets with time-bound credentials Eliminate long-lived API keys for AI agents where possible and issue scoped credentials with explicit expiry, issuer attribution, and environment constraints. That reduces the chance that an agent can keep acting after its original task or owner has changed.
• Bind each agent to a named human owner Require every production agent to have a current accountable owner and an offboarding path. If the owner leaves, the agent should lose authority automatically instead of continuing on inherited credentials.
• Instrument an audit trail for consequential actions Log the agent identity, human approver, requested scope, target system, and final outcome for every high-risk action. That evidence is essential for incident reconstruction, compliance review, and privilege investigation.

Key takeaways

• Know Your Agent reframes AI agents as runtime identity problems, not just onboarding problems.
• The article’s core evidence is that autonomous agents need execution-time validation because static credentials and one-time checks do not match their behaviour.
• Practitioners should focus on scoped credentials, human ownership, and approval gates for consequential actions before agent sprawl outpaces governance.

Key terms

• Know Your Agent: A runtime identity framework for AI agents that validates which agent is acting, under whose authority, and within what scope at the point of execution. It extends identity assurance beyond registration so consequential actions can be tied to a current owner and a current permission boundary.
• Runtime Authorization: An access decision made at the moment an identity attempts an action, rather than when it is first created or enrolled. For AI agents, runtime authorization matters because the system must evaluate the current task, target, and risk before permitting execution.
• Verifiable Credential: A cryptographically signed credential that can carry issuer identity, scope, validity window, and binding to a specific identity. In agent governance, it replaces long-lived static secrets with time-bound authority that can expire automatically and be audited precisely.
• Ghost Agent: An orphaned AI agent that continues operating after the human who created or owns it is no longer accountable. The term describes a lifecycle failure where identity persists without a clear owner, making offboarding and revocation difficult.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Know Your Agent, runtime identity, and AI agent authorization. Read the original.