By NHI Mgmt Group Editorial TeamPublished 2026-02-05Domain: AI SecuritySource: Knostic

TL;DR: Many apparent social and autonomous actions in MoltBook-style agent behaviour are actually prompt-driven routines, according to Knostic’s analysis, while the real security risk comes from exposed instructions, remote skill updates, and the lethal trifecta of private data, untrusted input, and external actions. The governance problem is no longer whether agents seem intelligent, but whether their prompts, tools, and update paths are controlled as NHI-like execution surfaces.


At a glance

What this is: The article argues that MoltBook-style AI agent behaviour is prompt-configured, not emergent, and that the real risk lies in exposed instructions, remote skill updates, and unsafe agent execution paths.

Why it matters: This matters because IAM, PAM, and NHI programmes must treat agent prompts, tool access, and configuration drift as governance boundaries, not as informal behavioural settings.

👉 Read Knostic's analysis of MoltBook-style AI agent mechanics and security risks


Context

AI agents do not become safe because their behaviour looks human. When prompts, timers, and remote skill files determine what an agent can do, the security model shifts from conversation management to control of execution, update paths, and privileged tool access. In NHI terms, that is a governance problem as much as an AI problem.

The article is especially relevant to identity teams because agentic systems increasingly resemble non-human identities with mutable permissions, delegated actions, and indirect access to sensitive data. If a prompt or remote configuration can change what the agent does, then identity lifecycle, secrets control, and policy enforcement become part of the same attack surface.


Key questions

Q: How should security teams govern AI agents that can change behaviour at runtime?

A: Security teams should govern runtime-changing AI agents like privileged non-human identities. That means versioning prompts and rule files, controlling who can edit them, logging every change, and separating instruction updates from execution privileges. If a prompt can change what an agent may read or do, it is a policy object, not a configuration convenience.

Q: Why do AI agents create identity governance problems for IAM teams?

A: AI agents create identity governance problems because they can hold credentials, access sensitive data, and take actions without a person in the loop for every step. Traditional IAM assumes a stable subject and a reviewable lifecycle. Agentic systems change behaviour through prompts, tools, and remote instructions, so governance must cover runtime authority as well as authentication.

Q: What breaks when prompt files are not treated as controlled assets?

A: When prompt files are not controlled, the agent’s behaviour can drift without a corresponding access review or security approval. That creates a gap between intended policy and actual execution, especially when prompts can shape tool use, escalation, or disclosure. The result is an identity boundary that looks intact on paper but is unstable in runtime.

Q: How can organisations reduce risk from untrusted AI agent inputs?

A: Organisations should separate untrusted inputs from privileged actions and require policy checks before the agent can act on them. That includes limiting what data the agent can access, constraining the tools it can call, and monitoring for instruction changes delivered through extensions or remote files. The key control is not trust in the model, but containment around the model.


Technical breakdown

Prompt-driven behaviour versus autonomous decision-making

The article shows that many visible agent behaviours are deterministic instructions wrapped in human-like language. Timers, topic templates, and follow rules create the appearance of discretion, but the underlying system is still executing predefined logic. That matters because the control boundary is not the user interface or the model personality. It is the prompt, the rule file, and any configuration that can change agent behaviour without separate review.

Practical implication: treat prompt and rule files as governed configuration, with change control, review, and drift detection.

Remote skill updates as an execution channel

A remote skill file that is fetched and executed on a schedule turns configuration into a live supply chain. If the remote source changes, the agent changes with it, which means compromise of the update path becomes compromise of the agent. This is the same basic failure pattern seen in any unsigned or unverified runtime dependency, except here the dependency alters behaviour and access decisions rather than just code.

Practical implication: validate agent update sources, restrict remote retrieval, and require integrity checks before execution.

The lethal trifecta in agentic environments

The article applies the lethal trifecta correctly: private data, untrusted content, and external actions create a condition where an agent can be manipulated into leaking information or taking unsafe steps. In enterprise deployments, that means the model, MCP server, and connected tools form a single risk chain. If any one layer trusts the others too much, the agent can become a proxy for data exfiltration or unauthorised action.

Practical implication: separate data exposure, input trust, and action authority so one compromised layer cannot complete the whole attack chain.


Threat narrative

Attacker objective: The attacker’s objective is to turn the agent’s trusted execution path into a covert channel for data exposure, unsafe action, or downstream compromise.

  1. Entry occurs when an attacker or malicious content influences a prompt, remote skill file, or MCP-connected instruction path that an agent will later execute.
  2. Escalation follows when the agent inherits expanded behaviour or tool usage from that instruction path, including access to private data and the ability to take external actions.
  3. Impact occurs when the agent leaks sensitive information, executes unsafe tasks, or propagates compromised instructions into broader enterprise workflows.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Prompt files are becoming identity controls, whether security teams recognise them or not. The article makes clear that behaviour in agentic systems is shaped by prompts, timers, and rule files rather than by stable autonomy. That means the control plane is shifting into configuration assets that many organisations still treat as content, not policy. For IAM and NHI programmes, that is a structural change in where authority lives, and it demands governed lifecycle control.

Remote instruction loading creates a new form of identity drift. When agents fetch and execute instructions from a remote source, the agent’s effective privileges can change without a traditional access review. That is not just configuration drift; it is governance drift across a non-human execution identity. The named concept here is instruction drift exposure, where runtime behaviour diverges from approved policy because remote instructions are trusted too readily. Practitioners should treat that as a control failure, not a tuning issue.

The lethal trifecta is now an identity governance problem, not just an AI security slogan. Access to private data, exposure to untrusted input, and the ability to act externally create a conditions-based escalation path that standard prompt discipline cannot contain. This is where NHI governance intersects with agentic AI: the agent has to be provisioned, limited, observed, and revoked like any other privileged non-human identity. Security teams should assume that unmanaged agent authority will be abused.

Behavioural mimicry does not reduce accountability. The article shows that selective social behaviour, escalation, and routine task handling can all be configured to look human-like while remaining entirely policy-driven. That makes oversight harder, not easier, because humans can misread the system’s confidence as control. The correct response is to govern the execution environment, not the personality layer, and to require evidence for every delegated action.

Enterprise toolchains will increasingly fail at the boundary between model, prompt, and tool access. The article’s core lesson is that agent security breaks when teams treat these as separate problems. In practice they are one chain: the model interprets, the prompt constrains, and the tool executes. Practitioners should align their governance model to that chain and close the gap before agentic workflows become production dependencies.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
  • The report on the OWASP NHI Top 10 explains where agentic controls fail most often and how teams can close those gaps.

What this signals

Instruction drift exposure: the security issue is not that agents are clever, but that their approved behaviour can be rewritten through prompts, remote skills, or configuration drift. Once that happens, access reviews no longer describe reality, because the runtime subject has already changed. Teams that rely on static policy documents will miss the point entirely, especially when the agent operates as a de facto non-human identity.

The practical implication for enterprise programmes is that agent governance has to be versioned, monitored, and revoked like any other privileged identity. That means tying control ownership to the execution layer, not just the model layer, and using AI risk governance patterns from the NIST AI Risk Management Framework where agent behaviour affects business decisions or sensitive data handling.


For practitioners

  • Govern prompt and rule files as controlled policy objects Place agent prompts, system rules, and skill files under formal change control with approval, version history, and rollback. Review them the way you would privileged configuration because they determine what the agent can read, decide, and execute.
  • Restrict remote instruction retrieval Block unauthenticated or unverified remote skill loading, and require integrity checks before any fetched instruction is executed. Separate the update path from the runtime path so a compromised source cannot silently alter behaviour.
  • Segregate data access from action authority Limit what the agent can see, what it can infer from untrusted content, and what it is allowed to do externally. Use separate approval controls for data access, tool use, and outbound actions so one compromise does not complete the full attack chain.
  • Apply NHI-style lifecycle controls to agents Assign ownership, review cadence, revocation triggers, and monitored entitlements for each agent instance. Treat agent credentials, tool tokens, and MCP permissions as lifecycle-managed identities, not as permanent application settings.

Key takeaways

  • AI agents become a security problem when prompts and remote instruction paths define behaviour more than explicit policy does.
  • The evidence points to a real governance gap: agents are already exceeding intended scope, including data sharing and credential exposure.
  • Treating agents as lifecycle-managed non-human identities is the control shift that makes their authority observable and revocable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10NHI-01Agent behaviour driven by prompts and tools fits agentic AI identity and control abuse.
OWASP Non-Human Identity Top 10NHI-03Remote instruction loading and secret-bearing agent access align with NHI control gaps.
NIST AI RMFGOVERNThe article is fundamentally about governance for AI systems that take actions.
NIST CSF 2.0PR.AC-4The article centres on limiting and reviewing access for non-human systems.
MITRE ATT&CKTA0006 , Credential Access; TA0009 , Collection; TA0011 , Command and ControlThe threat pattern involves data access, instruction compromise, and external action paths.

Use ATT&CK to map where agent instruction abuse can lead to collection, credential exposure, and command execution.


Key terms

  • Agentic AI: Agentic AI refers to systems that can choose actions, call tools, and time execution with some independence. In security terms, the important question is not whether a model sounds intelligent, but whether the system can change state, access data, or trigger actions without direct human approval for each step.
  • Instruction Drift: Instruction drift is the gap between approved agent behaviour and what the agent actually does after prompts, rule files, or remote instructions change. It matters because governance documents can remain stable while runtime authority quietly shifts, creating a control failure that traditional access review does not detect.
  • Lethal Trifecta: The lethal trifecta is the dangerous combination of private data access, untrusted input exposure, and the ability to take external actions. When all three exist in one agentic system, attackers can convert normal workflow behaviour into leakage, manipulation, or unauthorised execution with very little friction.
  • Non-Human Identity: A non-human identity is any machine, workload, service account, token, certificate, or agent that authenticates and performs actions on behalf of a process rather than a person. These identities need lifecycle governance because they often hold persistent privileges, secrets, and tool access that outlast the tasks they were created for.

What's in the full article

Knostic's full blog covers the operational detail this post intentionally leaves for the source:

  • Prompt excerpts and code-level mechanics showing how MoltBook and OpenClaw actually drive agent behaviour.
  • The remote SKILL.md update pattern and why scheduled instruction fetching creates a supply-chain style risk.
  • The practical parallels between AI agents, MCP servers, and coding agents in enterprise environments.
  • The product context for Kirin, including validation, allowlisting, and drift detection details.

👉 Knostic's full post covers the prompt logic, remote skill updates, and enterprise coding-agent parallels in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners build the control discipline needed to govern agentic systems and other non-human identities across the enterprise.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org