Least agency is the missing control for AI agent governance

At a glance

What this is: This is an analysis of why least privilege is insufficient for AI agents and why least agency, runtime scoping, and decision budgets are needed to govern autonomous behaviour.

Why it matters: It matters because IAM, PAM, and identity governance teams now have to manage not just what agents can reach, but what they are allowed to do with that access across delegated workflows.

By the numbers:

• 97% of non-human identities carry excessive privileges.

👉 Read Zenity's analysis of why least privilege is not enough for AI agents

Context

Least privilege is no longer enough for AI agents because access rights do not fully describe autonomous behaviour. An agent can stay inside its approved permissions and still query, sequence, or combine actions in ways that exceed its declared purpose, which is why AI agent governance has to extend beyond access control into runtime decision boundaries.

That creates a direct identity governance problem for agentic AI programmes. Traditional IAM can tell you what a service account or user may reach, but it cannot reliably express what an agent should be allowed to do, in what order, and under what conditions once it is operating independently across tools and datasets.

Key questions

Q: What breaks when least privilege is the only control for AI agents?

A: Least privilege breaks down because it only describes what an agent can access, not what it can autonomously do with that access. An agent can remain fully authorised and still sequence actions, combine data, or pursue queries that violate its intended purpose. That is why governance has to cover behaviour, conditions, and oversight, not just entitlement.

Q: Why do AI agents complicate identity governance programmes?

A: AI agents complicate identity governance because they turn runtime behaviour into an access problem. Traditional IAM can review permissions, but it cannot fully express whether an agent should be allowed to act, sequence, or delegate within a task. That makes least agency, runtime scoping, and decision limits essential controls for agentic environments.

Q: How do organisations know if agent governance is actually working?

A: They need evidence that the agent’s autonomous actions are narrower than its raw permission set and that scope changes are reviewed before they become default behaviour. A useful indicator is whether each agent class has a documented least agency ratio and whether delegation chains stop at defined human checkpoints when autonomy is exhausted.

Q: Who should own AI agent autonomy controls in the enterprise?

A: Ownership should sit jointly with identity governance, security architecture, and the product or platform team that runs the agent. The key accountability question is whether someone can approve, constrain, and revoke autonomous action as a lifecycle control. If no team owns those decisions, the agent’s behaviour is effectively unmanaged.

Technical breakdown

Least privilege versus least agency in AI agent governance

Least privilege limits reach, not behaviour. In agentic systems, the permission boundary says which systems the agent may touch, but it does not constrain how the agent reasons, how it sequences allowed actions, or whether a string of individually authorised steps still produces an unacceptable outcome. That is why least agency is a different control objective: it governs the autonomous action space, including sequencing, conditions, and oversight. This is especially relevant when prompt injection or task drift causes an agent to use legitimate access in unintended ways.

Practical implication: Separate permission review from behavioural authorisation and define action limits at the task level, not only at the credential level.

Runtime scoping and JIT access for agents

Dynamic scoping narrows an agent’s effective access based on the task it is performing at that moment. Just-in-time access adds temporal constraint by granting privilege only for the current operation and withdrawing it when the task ends or the risk posture changes. Together, they turn static entitlement into a runtime control plane. This is materially different from provisioning a broad service account and hoping downstream workflow logic will keep the agent aligned with intent.

Practical implication: Use task-bound authorisation, short-lived entitlements, and revocation triggers that follow the agent’s real workflow rather than its provisioning record.

Decision budgets for multi-agent delegation chains

Multi-agent systems can compound risk because each delegation hop expands the total autonomous decision scope. A decision budget treats autonomy as a finite resource that is consumed as work moves from orchestrator to sub-agent and from sub-agent to sub-agent. When the budget is exhausted, the chain must stop and return to a human decision point. The mechanism matters because a chain may remain technically authorised at each step while becoming collectively over-automated by the end of the sequence.

Practical implication: Set explicit delegation limits and require human re-approval before the chain can continue once the budgeted autonomy is consumed.

NHI Mgmt Group analysis

Least privilege was designed for access boundaries, not behavioural boundaries. That assumption fails when an AI agent can stay fully authorised and still act in ways that diverge from its declared purpose. The implication is that identity governance has to evaluate autonomy as a control surface, not just entitlement, because permission alone no longer predicts risk.

Least agency is a necessary named concept because it captures the gap between what an agent can reach and what it should be allowed to do. In agentic environments, the security failure is not always over-permissioning. It is the inability of existing IAM and PAM models to express sequence, context, and oversight constraints on runtime action. Practitioners should treat this as a separate governance dimension, not a refinement of least privilege.

Decision budgets expose the real governance problem in multi-agent systems: autonomy compounds across delegation chains. Each handoff can remain locally valid while the chain as a whole exceeds the intent of the originating human or workflow. That is why agent governance cannot stop at the first approval gate, because the risk accumulates in the chain, not just at the endpoint.

AI agent programmes will create a new form of entitlement debt unless scope expansion is reviewed as rigorously as initial deployment. The article’s scope creep argument maps directly to identity lifecycle governance: agents gain new tools, new integrations, and new action paths over time. The practitioner conclusion is simple, but uncomfortable. If scope changes are not controlled, the review record becomes a fiction.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
• Read OWASP Agentic AI Top 10 for the control patterns that map to prompt injection, tool misuse, and agentic privilege abuse.

What this signals

Least agency will become the practical control question for agentic AI programmes. Teams that only measure access scope will miss the real governance gap, because autonomy can create risk without any entitlement violation. The least agency ratio is the right programme signal because it forces security, IAM, and application owners to compare permission scope with permitted autonomous action in the same review cycle.

With 80% of organisations already seeing agents act beyond intended scope, the operational problem is no longer theoretical. The next governance step is to tie agent approvals to runtime checkpoints, delegation ceilings, and audit artefacts that show when an agent crossed from authorised access into unauthorised behaviour.

Practitioners should also track this through lifecycle controls, not just deployment approvals. The strongest signal of maturity is whether new tools, new data sources, and new delegations are reviewed before they quietly expand an agent’s effective authority.

For practitioners

• Define behavioural authorisation rules for agents Write policy that limits which autonomous actions an agent may take, in what sequence, under what conditions, and with what oversight. Base approval on task intent and runtime context, not only on the underlying credential scope.
• Map runtime scoping to every high-risk agent workflow Constrain the agent’s effective access to the current task, and withdraw access as soon as the task is complete or the context changes. Tie scoping to the live workflow rather than to a broad standing entitlement.
• Set decision budgets for delegated AI chains Assign a finite autonomy allowance at the top of the chain and force a human checkpoint when that allowance is consumed. Apply the limit across orchestrator and sub-agent handoffs so compounding does not outrun intent.
• Review scope expansion as a lifecycle event Treat new tools, new data sources, and new agent integrations as security changes that require review, evidence, and sign-off. Do not allow an agent’s effective authority to grow quietly between formal governance cycles.

Key takeaways

• Least privilege is necessary but insufficient for AI agents because behaviour can drift even when access remains authorised.
• The most useful governance signal is the least agency ratio, which compares what an agent may access with what it may autonomously do.
• Enterprises need runtime scoping, decision budgets, and lifecycle review for agent expansion if they want to keep autonomous behaviour inside policy.

Key terms

• Least Agency: The smallest set of autonomous actions an AI agent should be allowed to take to complete its task. It extends beyond permissions to include sequencing, conditions, and oversight, because an agent can remain authorised while still behaving outside its intended purpose.
• Least Agency Ratio: A measure of the gap between what an agent is allowed to access and how much of that access it may act on autonomously. It is useful for comparing agent classes, identifying excess behavioural freedom, and reporting where runtime governance lags behind permissions.
• Decision Budget: A finite allocation of autonomous decision-making authority that can be consumed across an agent or multi-agent delegation chain. When the budget is used up, the system should return to a human decision point instead of continuing to compound autonomy.
• Dynamic Scoping: A runtime control that narrows an agent’s effective access to the exact task it is performing at that moment. Unlike static provisioning, dynamic scoping changes as the workflow changes, which helps prevent agents from using broadly granted access in ways that are no longer appropriate.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zenity: Least Privilege Isn't Enough for AI Agents. You Need Least Agency. Read the original.