NHIs vs. AI agents: why identity governance must see both

At a glance

What this is: This article argues that NHIs and AI agents are distinct identity types and that governance models built for static machine credentials do not adequately control autonomous agent behaviour.

Why it matters: IAM teams need this distinction to avoid overfitting NHI controls to agentic systems, while still governing lifecycle, privilege, and visibility across all identity programmes.

By the numbers:

• The vast majority of NHIs sit completely outside formal governance programs, with machine-to-human ratios reaching 500:1.
• Only 24.4% of organizations have full visibility into which AI agents are communicating with each other.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Saviynt's analysis of NHIs vs. AI agents and identity governance

Context

Every enterprise identity program now has to distinguish between predictable non-human identities and AI agents that can change actions at runtime. The governance gap is not just scale, it is that the programme was designed for credentials that follow instructions, not identities that decide.

NHIs already form the connective tissue of modern infrastructure, but AI agents add a new layer of behavioural variance, credential creation, and delegation. That changes how identity, privilege, and audit evidence have to be interpreted across NHI, autonomous, and human programmes.

Key questions

Q: How should security teams govern AI agents and NHIs differently?

A: Security teams should govern NHIs as predictable machine identities and AI agents as runtime actors that can alter behaviour after authentication. That means static entitlements, inventory, and rotation remain central for NHIs, while agents need behaviour monitoring, delegation tracing, and ownership controls that account for tool choice and execution timing.

Q: Why do AI agents create more risk than service accounts?

A: AI agents create more risk because they can decide which tools to use, which systems to query, and when to act, often within one workflow. Service accounts usually follow fixed instructions. The risk increase comes from runtime discretion, not just from having machine credentials.

Q: What breaks when AI agents are managed like ordinary machine identities?

A: What breaks is the assumption that access scope can be fully understood from provisioning data and quarterly review. Ordinary machine identities are repeatable; agents are not. If teams only review entitlements, they miss context shifts, delegated actions, and credential creation inside the session.

Q: How can organisations tell whether an AI agent is acting outside its intended scope?

A: Organisations should look for behaviour that crosses expected tool boundaries, generates unusual credentials, or chains actions across systems that are not part of the original task. The signal is not simply high activity. It is a change in action pattern, delegation, or downstream access context.

Technical breakdown

Why static NHI controls fail for AI agents

Non-human identities such as service accounts, tokens, and certificates execute predefined instructions, so identity teams can usually reason about them from provisioning data, expected scope, and periodic review. AI agents behave differently when they choose tools, data sources, or next actions at runtime. That means static policy scoping can miss the actual risk, because the same credential may be used in different ways across different sessions. The technical failure is not just wider access. It is that the control model assumes repeatable execution, while the agent can alter its path after authentication.

Practical implication: Separate inventory and monitoring logic for predictable machine identities from behaviour-based oversight for agents.

How agent-to-agent delegation fragments the audit trail

Protocols such as agent-to-agent handoff and MCP-based tool access create chained identity contexts. Each delegation step can produce a new credential, session, or action context, which makes the original owner harder to trace. Traditional logs record who accessed what, but not always which identity initiated the sequence, which tool changed the state, or whether another agent continued the workflow. Once delegation becomes recursive, audit evidence becomes a graph rather than a line. That matters because governance teams need attribution as much as access control.

Practical implication: Track delegation chains explicitly so investigations can reconstruct who or what initiated each action.

Why agent-driven credential generation expands the identity surface

AI agents do not only consume credentials. They can create, request, and pass along new tokens as part of normal workflow execution. In practice that means a single workflow can spawn multiple short-lived identities across SaaS, cloud, and internal systems. The architectural problem is inventory lag: identity registers were built to catalogue humans and long-lived machine accounts, not sessions that appear and disappear at machine speed. As a result, the effective attack surface grows faster than governance processes can reconcile it.

Practical implication: Treat generated credentials as first-class identities in discovery, inventory, and offboarding processes.

Threat narrative

Attacker objective: The objective is to turn trusted runtime identity behaviour into broader system access, harder attribution, and faster credential propagation.

1. Entry occurs through legitimate access granted to an agent or a machine credential that is already trusted by connected systems.
2. Escalation follows when the agent widens scope mid-session by selecting additional tools, services, or delegated credentials without a new governance decision.
3. Impact lands when chained autonomous actions create new credentials or propagate access across multiple systems faster than review or containment can keep up.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Predictable machine identity and autonomous agent identity are not governable with the same assumptions. NHIs can usually be scoped at provision time because their behaviour is repeatable and bounded. AI agents alter that premise by selecting tools and action paths at runtime, which means the governance model has to distinguish identity type before it can distinguish control type. Practitioners should stop treating all non-human access as one category.

Least privilege at provisioning time is a broken assumption for autonomous actors. That assumption was designed for identities whose intent can be bounded before execution begins. It fails when the actor can decide which tools to call and when to call them after authentication. The implication is not a better checkbox review, but a different governance premise for agentic access.

Identity blast radius becomes the decisive risk variable when agents can generate credentials at machine speed. Each new token, delegated session, or handoff expands the number of places where access can persist beyond the original workflow. That means visibility, ownership, and offboarding need to follow the identity chain, not just the original account.

Agentic governance should be evaluated as a control-plane problem, not a point-solution problem. The article correctly shows that visibility, ownership, behavioural monitoring, and credential lifecycle all intersect once agents begin acting across systems. This aligns with OWASP NHI and OWASP agentic application risk framing, and it pushes teams toward unified identity control across humans, NHIs, and agents.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• From our research: 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For the next step: Read OWASP Agentic AI Top 10 for the control categories that matter when runtime behaviour, privilege abuse, and tool misuse converge.

What this signals

Identity blast radius: once agents can create credentials and hand work to other systems, the programme has to measure how far a session can spread before it is observable. That is the governance question this article surfaces, and it is already visible in the 24.4% visibility figure from our Ultimate Guide to NHIs.

Practitioners should expect agent governance to converge with NHI lifecycle management and Zero Trust thinking, because the control boundary is no longer the account alone. Ownership, delegation, and revocation need to move together, or the identity surface will keep growing faster than policy can catch up.

The market signal is clear: teams that can only inventory identities will fall behind teams that can explain behaviour. That makes behavioural telemetry, delegated access tracing, and explicit ownership the programme capabilities to prioritise now.

For practitioners

• Inventory AI agents separately from NHIs Maintain a distinct register for agents, service accounts, tokens, and certificates so predictable machine identities are not mixed with runtime-deciding systems. Record ownership, connected tools, and delegation paths for each agent.
• Map delegation chains end to end Trace agent-to-agent and agent-to-tool handoffs so every credential creation, session, and downstream action has attributable context. Without that mapping, audit trails fragment and investigations stall.
• Separate policy scoping from behaviour monitoring Use static entitlements for NHI accounts, but add runtime monitoring for agents that can choose tools or adjust execution paths. The control question changes from what the identity can access to what it actually does.
• Review offboarding for generated credentials Define how agent-issued tokens, delegated sessions, and ephemeral keys are revoked when a workflow ends or an owner leaves. Offboarding must include credentials the system created during execution, not just the base account.

Key takeaways

• NHIs and AI agents require different governance assumptions because one follows instructions while the other makes runtime decisions.
• Machine identity sprawl is already hard to control, and agent-driven credential generation makes the problem materially broader.
• Practitioners should separate inventory, monitoring, and lifecycle controls so predictable machine identities and autonomous agents are governed on their own terms.

Key terms

• Non-Human Identity: A non-human identity is any machine credential used by software, workloads, integrations, or services to authenticate and access resources. In practice it includes service accounts, API keys, tokens, and certificates. These identities are usually predictable, which makes inventory, ownership, and lifecycle governance essential.
• AI Agent: An AI agent is a software identity that can decide what actions to take, which tools to use, and when to act during runtime. Unlike a fixed automation job, it can change behaviour based on context. That makes its access harder to model from provisioning data alone.
• Identity Blast Radius: Identity blast radius is the amount of damage or spread that can occur if one identity is misused or compromised. For agents, the blast radius includes delegated actions, generated credentials, and chained access across systems. It is a practical measure of how far one identity can move risk.
• Delegation Chain: A delegation chain is the sequence of identities, tools, and sessions through which an action moves. It can include human owners, service accounts, agents, and sub-agents. The longer and less visible the chain, the harder it becomes to attribute action and contain misuse.

What's in the full article

Saviynt's full blog post covers the operational detail this post intentionally leaves for the source:

• How the vendor maps AI agents to identity control-plane decisions across discovery, governance, and monitoring.
• The article's practical checklist for distinguishing service-account behaviour from agent behaviour in live environments.
• Examples of how agent-to-agent handoffs and MCP-linked tool access change audit and ownership workflows.
• The source discussion of visibility gaps and lifecycle questions that implementation teams will need when they move from strategy to control design.

👉 Saviynt's full blog post covers the NHI visibility gap, agent behaviour shift, and the questions leaders should ask now.

Deepen your knowledge

NHI governance for AI agents and machine credentials is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are separating static machine identity controls from runtime agent oversight, it is a useful place to start.