Non-human identity governance is breaking under AI agents

At a glance

What this is: This is Omada Identity's analysis of why non-human identity governance no longer fits cloud, token, and AI agent access patterns.

Why it matters: It matters because IAM, IGA, and PAM teams now have to govern access that is real, privileged, and often invisible across NHI, autonomous, and human identity programmes.

By the numbers:

• Non-human identities now outnumber human users in most enterprises by more than 40:1.

👉 Read Omada Identity's analysis of non-human identity governance and AI agents

Context

Non-human identity governance is the discipline of controlling service accounts, API keys, OAuth tokens, workload credentials, and AI agent access with the same rigor once reserved for people. The problem is that most identity programmes still depend on human lifecycle events, while these identities are created, changed, and left behind by systems.

That mismatch creates a blind spot in ownership, lifecycle, and review. In practice, privileged access can remain valid long after the original purpose has changed, which is why NHI governance has become a core issue for IAM, IGA, and PAM teams rather than a niche infrastructure concern.

For teams looking to establish the baseline, the best starting point is the Ultimate Guide to NHIs, which frames governance across inventory, lifecycle, visibility, and privilege control.

Key questions

Q: What breaks when non-human identities are governed like human users?

A: Lifecycle triggers, ownership, and review processes stop working because machine identities do not generate joiner, mover, or leaver events. Access can persist after the original purpose disappears, leaving valid credentials outside normal certification paths. That creates a blind spot where privileged access remains active even though nobody can clearly explain why it still exists.

Q: Why do service accounts and tokens increase breach risk in cloud environments?

A: They often hold standing privilege, operate silently, and are reused across systems without interactive oversight. If one is compromised, the attacker inherits real authorization rather than having to steal a password. That makes the blast radius larger, especially when access was never scoped to the minimum operational need.

Q: How do organisations know if NHI governance is actually working?

A: They can answer three questions consistently: what each identity is for, who owns it, and when it should be removed or re-authorised. If any NHI cannot be inventoried, classified, and tied to a current purpose, the governance programme is only partially effective. Auditability should be visible in the evidence, not assumed from policy language.

Q: Who is accountable when a third-party token exposes customer data?

A: Accountability sits with the organisation that allowed the token to remain valid, the service owner that failed to retire it, and the vendor relationship owner if the access should have ended with the contract. Regulators will care less about which system executed the access than whether the access path was governed, documented, and removable.

Technical breakdown

Why token-based access bypasses human governance triggers

OAuth tokens, service accounts, and workload credentials are valid identities in their own right, not temporary exceptions to IAM. They authenticate access without a person present, which means HR-driven joiner, mover, and leaver processes do not naturally apply. When a third-party integration keeps its token, the authorization stays live even if the business relationship, owner, or purpose has changed. The technical problem is not authentication failure. It is that the identity exists outside the governance lifecycle the organisation uses for humans.

Practical implication: inventory and classify machine credentials as first-class identities, then bind each one to an owner, purpose, and expiry rule.

How over-privileged NHI access creates silent blast radius

Non-human identities frequently hold more access than the workloads or integrations actually need. Because they operate without interactive review, their privilege can accumulate unnoticed across applications, tenants, and production systems. The danger is not just breadth of access, but persistence: a token or service account with standing privilege can be reused at scale if compromised. That is why least privilege for NHI is less about one-time provisioning and more about continuously proving that access scope still matches operational need.

Practical implication: review standing privilege against actual runtime activity and remove access that cannot be justified by current system behaviour.

Why AI agents turn NHI governance into accountable action

AI agents change the identity problem because they do more than execute a pre-set transaction. They can interpret context, choose tools, chain actions, and delegate work while borrowing NHI credentials to do it. That means the governance question shifts from 'who approved access' to 'what was the agent authorised to do at runtime, and can the organisation prove it afterward?'. Existing governance models struggle because they track entitlement more easily than behaviour.

Practical implication: require traceable decision logs and scoped tool permissions for agents that borrow NHI credentials.

Threat narrative

Attacker objective: The objective was to use legitimate-looking token access to reach customer Salesforce data and environments without needing passwords.

1. Entry occurred through compromised OAuth tokens tied to a third-party application that already carried valid authorization.
2. Escalation happened when the same credentials were reused to access Salesforce environments across hundreds of customer organisations at scale.
3. Impact came from persistent, silent access that operated outside normal ownership, lifecycle, and review controls.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Non-human identity governance failed because organisations still treat machine access as if it were human access. The article's core point is that HR-linked lifecycle triggers do not exist for service accounts, API keys, or OAuth tokens. That creates an inventory, ownership, and lifecycle gap that traditional IGA cannot close on its own. The implication is that NHI governance must stand as its own control domain, not as an appendix to human IAM.

Access review was designed for stable, person-owned privileges, and that assumption is already breaking. The governance model assumes access persists long enough to be assigned, reviewed, and certified by a manager or business owner. That assumption fails when third-party tokens or workload credentials outlive the relationship that created them. The implication is not simply to add more review cycles. It is to recognise that some access paths now operate outside the review logic itself.

Agentic behaviour widens the governance gap from entitlement control to action control. Service accounts are bounded by configuration, but AI agents can interpret context, select tools, and chain actions at runtime. That shifts the field from governing what an identity can reach to governing what it can decide to do with that reach. Practitioners need to rethink accountability, traceability, and delegated authority across NHI and agentic systems together.

Regulatory pressure is converging on demonstrable control over privileged identities, not just named users. The article is right to connect NIS2, DORA, and the EU AI Act to this problem space because the evidence requirement is becoming universal. Organisations will be expected to prove who or what had access, why it had it, and whether that access was governed. That makes NHI governance a compliance boundary as much as a technical one.

Credential persistence is the named failure mode this breach pattern exposes. Compromised tokens remained valid because the governance model did not require the access path to be retired when ownership changed. This is not a one-off exception, it is a structural weakness in how enterprises handle delegated access at scale. Practitioners should treat persistent token authority as an audit finding waiting to happen.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• With 80% of organisations reporting AI agents have already performed actions beyond their intended scope, the governance gap is already operational, not hypothetical.
• For a broader lifecycle lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the ownership, review, and retirement controls that machine identities require.

What this signals

Agentic governance will force IAM teams to separate entitlement from behaviour. The next wave of programmes will need visibility into what systems and agents actually do with credentials, not only whether those credentials were issued. That is a stronger operating model than classic access review because runtime decisions can outpace certification cycles.

With 70% of organisations granting AI systems more access than they would give a human employee in the same job, per the 2026 Infrastructure Identity Survey, least privilege is no longer a static policy problem. It is a governance design problem that spans NHI, agentic AI, and the human sponsors behind them.

Teams that already struggle to catalogue service accounts will feel this most sharply. The practical signal is simple: if you cannot trace which identity, tool, and owner are behind a critical action, the programme is not ready for AI-assisted operations.

For practitioners

• Build a complete NHI inventory Enumerate service accounts, workload credentials, API keys, OAuth tokens, and vendor-issued identities across cloud and SaaS estates. Classify each by owner, purpose, system scope, and expiry condition so nothing remains outside governance.
• Assign accountable ownership to every machine identity Require a named business or technical owner for each NHI, including third-party tokens. Remove identities that cannot be tied to a living service, application, or contract owner.
• Tie lifecycle controls to system events Trigger review, renewal, and retirement based on workload changes, vendor changes, application decommissioning, and integration scope changes. Do not rely on HR processes to retire machine access.
• Constrain AI agent tool access separately Treat agent permissions as runtime authority, not static entitlement alone. Limit which tools an agent can call, what credentials it can borrow, and how its actions are logged for later reconstruction.

Key takeaways

• The central failure is governance, not authentication. The article shows that valid tokens and privileged identities can still sit outside ownership, review, and retirement controls.
• The scale is already material, with non-human identities outnumbering human users by more than 40:1. That volume makes manual oversight insufficient for modern enterprise identity programmes.
• The immediate priority is to inventory, own, and lifecycle-manage machine identities before AI agents inherit the same blind spots. Organisations that wait will compound a problem already visible in token-based breaches.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, workloads, or services rather than a person. It includes service accounts, API keys, OAuth tokens, certificates, and AI agent credentials. These identities can carry real privilege and therefore need ownership, lifecycle control, and review like any other access-bearing account.
• Lifecycle Governance: Lifecycle governance is the control practice that ties identity creation, change, certification, and retirement to business need. For machine identities, it cannot rely on HR events, so the triggers must come from application, vendor, or workload changes. Without that linkage, access persists longer than the business purpose that justified it.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being issued only when needed. In non-human identity environments, standing privilege is especially risky because the identity may operate silently, at machine speed, and without a person to notice misuse. The result is a larger blast radius if credentials are exposed or abused.
• Agentic Behaviour: Agentic behaviour is the ability of an AI system to interpret context, choose actions, and chain tasks at runtime. In identity terms, that means the system can use borrowed credentials to do more than execute a fixed script. Governance must account for both the access granted and the decisions made with that access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: Non-Human Identities and AI Agents: The Governance Blind Spot. Read the original.