Oasis Agentic Access Management reframes AI agent governance

At a glance

What this is: Oasis Security’s AAM model treats AI agent actions as time-bound identity sessions and finds that broad delegated access is still the default enterprise failure mode.

Why it matters: For IAM, PAM, and NHI teams, the issue is not whether agents can act but whether their access can be scoped, traced, and retired before blast radius expands across production systems.

👉 Read Oasis Security's analysis of AI agent access control and accountability

Context

AI agent identity risk is no longer a theoretical extension of NHI governance. When an agent uses inherited OAuth tokens or reused human access, the organisation is not just automating a task, it is creating a new actor with permissions that existing IAM models often cannot explain or bound.

The core problem is accountability at runtime. Enterprises need to know which agent is connected to which system, what permissions it has, who approved the access, and what it actually did, because the usual review-and-revoke cycle is too slow for agentic execution.

Key questions

Q: How should security teams control AI agents that act on enterprise systems?

A: Treat every agent request as a runtime authorisation event. Define the exact systems and operations each agent can touch, then issue only task-scoped permissions with automatic teardown after execution. The goal is not to trust the agent less as a personality, but to reduce the authority it carries outside the task boundary.

Q: Why do AI agents make existing IAM controls harder to rely on?

A: Because many IAM controls assume access is stable long enough to be reviewed, certified, and revoked later. Agents can acquire, use, and release permissions within one session, which leaves little durable artefact for traditional lifecycle processes. That creates a governance gap between approval time and execution time.

Q: What breaks when agents reuse human OAuth access?

A: The organisation loses the ability to separate human intent from machine execution. A reused OAuth grant can let the agent operate far beyond the original purpose, expand blast radius across multiple systems, and obscure accountability when the action is questioned later. Reuse turns a temporary delegation into a standing trust problem.

Q: Who is accountable when an AI agent makes the wrong change?

A: Accountability sits with the governance chain that approved the access model, not with the agent alone. Teams need a trace from requester to policy decision to identity issuance to action results. If that chain is missing, incident review becomes guesswork and access governance cannot be defended to auditors.

How it works in practice

Intent-aware access for AI agents

Intent-aware access management converts a prompt, tool call, or action plan into structured intent, such as resource, operation, scope, and purpose. That intent is then evaluated against policy before any permission is granted. The architectural shift matters because AI agents do not just authenticate, they request action authority on the fly, often across multiple systems in one task. If identity control stops at login or token issuance, the real decision point is missed. The mechanism is therefore closer to runtime authorisation than traditional access provisioning.

Practical implication: security teams should treat each agent request as a policy decision point, not as a one-time onboarding event.

Just-in-time identities versus standing OAuth grants

The article’s model replaces long-lived delegated access with ephemeral identities that exist only for the task. In practice, this narrows the window in which an agent can access data, write records, or trigger downstream workflows. The distinction is important because a reused OAuth token or broad service grant extends trust well beyond the user intent that originally justified it. Once that happens, least privilege becomes aspirational rather than operational, and auditability degrades because the same credential can support many unrelated actions.

Practical implication: teams should stop treating delegated access as durable entitlement and redesign controls around task-scoped identities.

Prompt-level auditability and chain of custody

The strongest control claim in the article is not just that access is short-lived, but that every session is traceable from human request to agent action. That creates a chain of custody across Human, Agent, Prompt, Intent, Policy, Identity, Actions, and Results. For identity governance, this matters because regulators and auditors care about who approved access and what was done with it. Without a complete trace, agent behaviour becomes operationally visible only after a failure or data event, which is too late for governance.

Practical implication: governance teams should require evidence that every agent action can be reconstructed end to end.

NHI Mgmt Group analysis

Agentic access is an identity governance problem, not just an AI control problem. The article shows that agents are already acting on production systems, CRMs, data warehouses, and internal services. That moves the issue into IAM, PAM, and NHI territory because the real question is who or what receives authority to act, under what scope, and for how long. Practitioners should read this as an expansion of identity governance boundaries, not a sidecar AI concern.

Standing privilege is the failure mode that makes agentic access unsafe. When an agent inherits a broad OAuth token or reuses human access, the access path outlives the task and the accountability model. That is a classic NHI blast-radius problem, but it becomes sharper with agents because the same identity can chain multiple actions in one session. The implication is that persistent grants are no longer a tolerable default for agent workflows.

Ephemeral credential trust debt: the article points to a structural gap where organisations ask ephemeral access to solve problems created by durable trust. Short-lived sessions do reduce exposure, but they do not help if the approval model, policy scope, and audit chain were built for human-paced operations. The practical implication is that identity programmes need a different operating assumption for machine-initiated action.

The access review model was designed for human-paced privilege, and that assumption weakens with agents. Review cycles assume access persists long enough to be observed, certified, and removed. Agentic behaviour can compress grant, use, and teardown into a single execution window, which means the governance artefact may never exist in a reviewable state. Practitioners should treat this as an assumption collapse in lifecycle governance, not a process tuning problem.

Unified governance across NHIs and agents is now the category direction. The article’s framing suggests the market is converging on a single control plane for service identities and AI agents because the underlying risk pattern is shared: delegated authority without adequate scope control or traceability. That does not erase the differences between workload identity and autonomous action, but it does validate a shared governance lens. Identity teams should expect category boundaries to keep blurring.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why identity teams should also study Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that can be adapted to agent governance.

What this signals

Ephemeral credential trust debt: organisations are trying to solve durable delegation problems with short-lived access patterns, but the control model still has to answer who approved what, for what purpose, and whether the permission can be reconstructed later. That gap will shape agent governance programmes more than the headline technology choices.

The practical near-term signal is that security teams will need to merge agent control with NHI lifecycle discipline. If the business wants more agents in more systems, identity teams will need policy, approval, and teardown logic that works at task speed, not human review cadence.

For practitioners aligning to external standards, the runtime-policy side of this problem maps well to NIST AI Risk Management Framework and the identity-boundary side aligns with OWASP Top 10 for Agentic Applications 2026. The takeaway is that agent governance is becoming an operating model issue, not a point-control issue.

For practitioners

• Define agent-specific policy boundaries Map each AI agent to the exact systems, operations, and scopes it may use, then block all unscoped access paths by default. Keep policy decisions tied to intent, not to the agent name or owner.
• Replace broad delegated access with task-scoped identity Remove reused human access and long-lived OAuth grants from agent workflows wherever possible. Issue short-lived permissions only for the current task, then decommission them after use.
• Require end-to-end auditability for every agent action Make approval, intent, policy decision, identity issuance, and resulting actions reconstructable in one trail. If you cannot explain who authorised the action and what the agent did, the control is incomplete.
• Separate human approval from agent execution scope Do not let a human requester’s access level become the agent’s standing entitlement. Re-evaluate the request at runtime and issue only the minimum permissions needed for that single execution.
• Inventory agent-connected systems and inherited credentials Identify which agents are linked to SaaS, cloud, data platforms, and internal services through inherited credentials. Prioritise the highest-risk paths first, especially production systems and write-capable workflows.

Key takeaways

• AI agent governance is becoming an identity problem because broad delegated access gives agents authority that traditional review cycles cannot keep up with.
• The evidence points to a structural visibility gap, with most organisations already seeing agents act outside intended scope and many unable to audit access completely.
• The control shift is toward task-scoped, policy-evaluated, fully traceable sessions that remove standing privilege from agent workflows.

Key terms

• Agentic Access Management: Agentic Access Management is the practice of governing AI agents as runtime identities rather than static users or simple automations. It uses policy, intent, and short-lived permissions to constrain what an agent can do, when it can do it, and how the action is recorded for audit and review.
• Ephemeral Identity: An ephemeral identity is a temporary credentialed identity created for a narrow task and removed after the task ends. In agent governance, it limits blast radius by ensuring the agent cannot keep using the same authority across unrelated actions or sessions.
• Intent: Intent is the structured description of what an agent is trying to do, including target resource, operation, scope, and purpose. Translating prompts into intent makes policy evaluation possible before access is granted, which is essential when natural-language requests drive enterprise actions.

Deepen your knowledge

AI agent governance, runtime authorisation, and ephemeral access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic access alongside NHI governance, it is worth exploring.

This post draws on content published by Oasis Security: Introducing Oasis Agentic Access Management. Read the original.