Prisma AIRS 3.0 puts agentic identity governance at the center

At a glance

What this is: Palo Alto Networks is framing Prisma AIRS 3.0 as an agentic AI security platform that shifts enterprises from observing AI interactions to authorizing autonomous execution.

Why it matters: IAM and security teams need to treat agent identity, runtime scope, and post-deployment behaviour as governance problems, because existing controls built for static access do not fully cover autonomous agents.

By the numbers:

• According to NHI Mgmt Group, 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Palo Alto Networks' press release on Prisma AIRS 3.0 and agentic AI security

Context

Agentic AI security is the problem of governing software identities that can decide, select tools, and execute actions with limited or no human approval. The article argues that many enterprises can see what AI says, but not what AI does, which leaves identity, runtime, and governance gaps open at the point where action is taken.

For IAM, PAM, and NHI programmes, the shift matters because an agent that can act independently is no longer just a workload to observe. It becomes an identity subject whose lifecycle, privileges, and runtime behaviour need to be bounded, reviewed, and monitored as part of the access model, not as an afterthought.

Key questions

Q: How should security teams govern autonomous AI agents with runtime access?

A: Treat autonomous agents as governed identities with explicit ownership, scoped tool access, and runtime policy enforcement. Approval at deployment is not enough when the agent can choose actions during execution. Security teams should bind high-risk actions to real-time checks, monitor behaviour after deployment, and maintain a complete inventory of agent-to-tool relationships.

Q: Why do agentic AI systems complicate NHI governance?

A: They complicate governance because the privilege boundary is no longer fixed at provisioning time. An agent can change its action sequence, combine tools, and request new paths during runtime, which makes static access reviews less reliable. The result is a control model that must account for behaviour, not just credentials.

Q: What breaks when AI agents are treated like ordinary application workloads?

A: What breaks is the assumption that the workload follows a stable script. Agentic systems can make independent decisions, so the usual entitlement and monitoring model may miss tool misuse, scope drift, or chained actions. That creates blind spots in both access governance and incident response.

Q: What is the difference between agent identity discovery and traditional asset discovery?

A: Traditional asset discovery tells you where software runs. Agent identity discovery tells you which software entities can decide, act, and access data or tools on their own. That difference matters because the risk sits in execution rights and delegated behaviour, not only in the presence of an application.

How it works in practice

Agent identity discovery across cloud, SaaS, and endpoint environments

The platform position is that agent inventories are currently fragmented across cloud services, SaaS applications, and local endpoints. In agentic environments, discovery is not just asset management. It is identity discovery, because each agent can carry credentials, tool access, data reach, and execution rights that matter differently once runtime decisions are made. Traditional controls often know the host or application, but not the decisioning entity operating inside it. That leaves shadow AI, hidden tool chains, and unmanaged agent identities outside the normal governance perimeter.

Practical implication: map where agent identities exist and what they can reach before you try to write policy.

Runtime authorisation for autonomous agent actions

Runtime security for agentic AI is about deciding whether an agent may take an action at the moment it tries to do so. That differs from classic access control because the sequence of actions is not fully predetermined at provisioning time. The platform’s control plane framing reflects a broader change: identity enforcement is moving closer to execution, where the agent can request tools, touch data, and chain tasks dynamically. This is where policy has to bind to runtime context, not only to static entitlements.

Practical implication: treat approval and policy enforcement as runtime controls, not just provisioning controls.

AI red teaming and agentic attack simulation

AI red teaming in an agentic context tests how an agent behaves when prompts, context, or tool paths are manipulated during execution. The goal is to surface vulnerabilities such as context-aware attacks, unsafe tool use, and weak guardrails before those weaknesses appear in production. This is materially different from scanning a model or app in isolation because the risk often emerges only when the agent combines access, context, and action. Security teams need to evaluate the full execution path, not just the model layer.

Practical implication: validate how agents behave under malicious context, not only whether the model is secure in isolation.

NHI Mgmt Group analysis

Agentic AI governance is becoming an identity problem before it becomes a model problem. The article’s core move is to place discovery, risk assessment, and protection on the same plane as agent execution. That is the right framing for the market, because the control question is no longer only what the model can do, but what the identity behind it is allowed to do once it starts acting. Practitioners should read this as a shift from AI monitoring to identity governance for autonomous execution.

Agentic identity is a named governance category, not a branding exercise. The source article correctly treats agentic identities as distinct from generic application identities because agents can select tools, sequence tasks, and operate across multiple systems. That creates a governance surface that sits between NHI control patterns and autonomous decision behaviour. The practical implication is that IAM and NHI teams need a category for agents that is specific enough to govern runtime action, not just authentication.

Runtime authorization gap: policy written at provisioning time was designed for stable access paths. That assumption fails when the actor can choose actions during execution because the privilege boundary is not fully knowable in advance. The implication is that access review, entitlement design, and approval logic all need to be rethought for actors whose behaviour changes after deployment.

Shadow AI and unmanaged agent sprawl will increasingly resemble classic NHI sprawl, but with a faster failure cycle. The article’s emphasis on discovery across cloud, SaaS, and endpoints shows that hidden agents are a governance problem, not only an operations problem. Once agents can act independently, missing inventory becomes missing control, and missing control becomes unbounded runtime exposure. Practitioners should expect agent discovery to land inside NHI governance, PAM, and security operations simultaneously.

Agentic AI lifecycle security will pull identity, runtime, and AI governance into one operating model. The vendor is describing a platform response to a market problem, but the deeper signal is category convergence. Security teams will need shared ownership across IAM, cloud security, SOC, and AI governance because no single team can see the entire agent lifecycle alone. The field is moving toward lifecycle-based control of autonomous software identities, and that will expose where current governance silos are too slow or too narrow.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a deeper lifecycle lens, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be treated as one control chain.

What this signals

Agentic AI will force NHI programmes to move from entitlement management to behaviour management. With 91.6% of secrets still valid five days after notification according to the Ultimate Guide to NHIs, the problem is already visible in static NHI environments. Autonomous agents make that weakness operational faster, because the identity can act, chain tools, and expand scope within the same session.

Identity review cadences built for humans will not survive autonomous execution. The issue is not only more identities, but identities that can create new access paths before a review cycle catches them. Teams should expect governance to shift toward continuous discovery, runtime authorization, and lifecycle accountability across AI, NHI, and PAM boundaries.

For practitioners

• Build an agent identity inventory Catalog every AI agent, model connection, and tool binding across cloud, SaaS, and endpoint environments. Include ownership, data reach, and execution scope so hidden agents do not sit outside your governance model.
• Separate provisioning from runtime control Define which agent actions require real-time policy checks, even if the identity was approved earlier. Tie high-risk tool use to execution-time authorisation rather than assuming provisioning-time approval is enough.
• Test agents under adversarial context Use red team scenarios that alter prompts, context, and tool paths to see whether the agent changes behaviour or expands its action set. Focus on what happens after deployment, not only on model safety in isolation.
• Assign lifecycle ownership for agents Make one team accountable for onboarding, scope changes, review, and retirement of each agent identity. Without explicit lifecycle ownership, agent sprawl will outpace access review and incident response.

Key takeaways

• Agentic AI security is an identity governance problem because the actor can select tools and execute actions at runtime.
• Discovery, runtime authorization, and lifecycle ownership are the controls that matter once AI moves from observation to autonomous execution.
• Without behaviour-aware governance, shadow AI and unmanaged agent sprawl can create access paths that static reviews will not catch in time.

Key terms

• Agentic Identity: An agentic identity is a software identity that can decide which actions to take, which tools to use, and when to execute them. In practice, it needs governance that covers runtime behaviour, not just authentication or static entitlement approval.
• Runtime Authorization: Runtime authorization is the decision to permit or deny an action at the moment the action is requested. For autonomous systems, it matters because privilege can drift after deployment, so static provisioning alone does not describe real-world access.
• Shadow AI: Shadow AI is unmanaged or undiscovered AI activity inside an enterprise. The governance problem is not only that the model exists, but that no owner, inventory, or policy boundary is able to account for what the system can access or do.
• Agentic Lifecycle: The agentic lifecycle covers discovery, onboarding, access scope, runtime behaviour, review, and retirement for AI agents. It extends identity governance into the full period where an agent can act, which makes offboarding and policy drift as important as initial approval.

Deepen your knowledge

Agentic AI lifecycle security is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents alongside service accounts and other non-human identities, it is worth exploring.

This post draws on content published by Palo Alto Networks: Prisma AIRS 3.0 and agentic AI security. Read the original.