By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Agentic AI & NHIsSource: Reva.AI

TL;DR: AI agents can inherit broad permissions through nested group structures, then act at machine speed in ways static role catalogues do not reveal, according to Reva.AI. The governance assumption that access can be reviewed after provisioning is breaking down when decisions and execution happen in real time.


At a glance

What this is: This analysis argues that AI agent governance now depends on real-time authorization, because static group-based access can hide effective privileges that agents can exploit immediately.

Why it matters: IAM, NHI, and human access programmes all need to shift from approved roles to continuously evaluated intent, context, and effective permissions.

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Reva.AI's analysis of real-time authorization for AI agent governance


Context

AI agent identity risk is expanding faster than traditional IAM controls can explain or contain. A read-only role can look safe on paper while nested group membership and inherited permissions create a much wider effective access path than the catalogue shows.

The governance gap is not just visibility, but timing. AI agents can act continuously, at machine speed, and access decisions that depend on quarterly reviews or static role approval now miss the window in which harm actually happens.


Key questions

Q: How should security teams govern AI agents that inherit access through nested groups?

A: They should govern the agent by effective permissions, not by the nominal role name. Nested groups, inherited entitlements, and cross-account trust can produce access that is much broader than the catalogue suggests. Teams need continuous evaluation of what the identity can actually do before any destructive or cross-system action is allowed.

Q: Why do static role catalogues fail for AI agent governance?

A: Static catalogues record what was approved at a point in time, but AI agents act in real time and can exploit inherited access immediately. If the access graph changes through nesting or upstream group membership, the catalogue can remain accurate and still be misleading. That is why runtime authorisation matters more than role labels.

Q: What breaks when organisations rely on quarterly access reviews for agent identities?

A: Quarterly reviews assume access persists long enough to be inspected before harm occurs. AI agents can consume privileges continuously, complete high-impact actions in minutes, and leave the review cycle chasing events after the fact. The failure is timing, not just control coverage.

Q: Who should be accountable when an AI agent causes destructive cloud actions?

A: Accountability should sit with the team that defined the policy, provisioning path, and runtime enforcement model, not with the agent as if it were a human operator. If nested groups, inherited permissions, or weak context controls made the action possible, the governance model failed before the event occurred.


Technical breakdown

Nested groups and effective permissions in AI agent access

In Active Directory and similar identity systems, the group you approve is not always the permission set the identity actually receives. Nested groups, inherited entitlements, and cross-system mappings can turn a read-only role into a write-capable identity when the effective access graph is not recalculated. For AI agents, that matters because they do not wait for a human to notice the mismatch before acting. The security issue is not the approval record, but the hidden permission chain that survives inside the estate.

Practical implication: build controls around effective permissions, not just role labels or catalogue entries.

Real-time authorization for agentic AI

Real-time authorization evaluates the subject, action, resource, and context at the moment of access. That is different from static provisioning, where entitlement is granted once and assumed safe until the next review. In agentic systems, context includes time, volume, device posture, risk signals, and action pattern, so a legitimate agent can still be blocked when behaviour deviates from expected intent. This is the core shift from snapshot governance to event-time governance.

Practical implication: move high-risk agent actions into policy decisions that can change with context in milliseconds.

Authorization fabric across heterogeneous enforcement points

A modern authorization fabric separates policy decision from policy enforcement so the same rules can govern cloud IAM, API gateways, service meshes, SaaS, and AI agent frameworks. Standards such as AuthZEN and policy engines such as OPA or Cedar make that possible because the application no longer owns the full decision logic. The key architectural value is consistency: one decision model, many enforcement points, and an audit trail that reflects actual runtime behaviour rather than intended access.

Practical implication: standardise policy evaluation across applications instead of relying on local, application-specific checks.


Threat narrative

Attacker objective: The objective is to convert approved but poorly understood access into large-scale destructive control over cloud resources without needing credential theft.

  1. Entry begins with a legitimate read-only service principal placed into a nested group structure that obscures its effective permissions across cloud accounts.
  2. Escalation occurs when inherited group membership silently grants write and delete capability, allowing the agent to act far beyond the original access request.
  3. Impact follows when the agent executes destructive actions across idle development environments at machine speed, creating outage and data loss risk before human review can intervene.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Real-time authorization is now the governing primitive for AI agents. Static role catalogues were built for identities that change slowly and are reviewed on human time. That assumption fails when an agent can consume broad inherited privileges and act immediately at machine speed. The implication is that access governance must stop treating approval as safety and start treating runtime decisioning as the control boundary.

Effective permission visibility is the new access truth. The read-only label on a group means very little if nested memberships and inheritance create write or delete capability elsewhere in the estate. This is not a policy gap alone, it is an observability gap that lets governance certify a fiction. Practitioners need effective access graphs, not catalogue optimism.

Authorization has become the control plane for agentic identity. Authentication proves identity, but it does not constrain what an AI agent can do once inside the system. Open standards such as AuthZEN matter because they separate decision logic from enforcement and make runtime policy portable across applications. For practitioners, the market signal is clear: access control is moving from per-app configuration to interoperable runtime governance.

Time-bounded access review is an assumption collapse for autonomous behaviour. Access review processes were designed for privileges that persist long enough to be observed, challenged, and recertified. That assumption fails when the actor can acquire and use access continuously, at machine speed, across many systems before the next review cycle begins. The implication is not just tighter review cadence, but a rethink of what review can meaningfully govern.

Identity governance for AI agents converges with NHI controls, not human workflows. The same blind spots that affect service accounts, tokens, and nested group inheritance now show up in agentic systems with broader autonomy. That makes NHI governance the right baseline, while human-style oversight becomes a weak secondary check. Practitioners should treat agent identities as first-class non-human identities with live policy enforcement.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
  • 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
  • OWASP Agentic AI Top 10 is the right next reference point for teams formalising agentic risk controls.

What this signals

Effective permission visibility: the next phase of agent governance is not another approval layer, but an identity graph that shows what the agent can actually do right now. When nested group paths and inherited rights are opaque, policy review becomes theatre instead of control.

With 80% of organisations already seeing AI agents act beyond intended scope, the governance problem has moved from hypothetical to operational. Teams that still depend on delayed recertification and manual exception handling will keep discovering risk after the agent has already acted.

The practical signal for IAM and NHI programmes is that runtime authorisation, not static role assignment, is becoming the primary control surface. That shift aligns closely with NIST AI Risk Management Framework thinking on continuous governance and accountability.


For practitioners

  • Map effective permissions, not just approved roles Recalculate what an agent can actually do across nested groups, inherited privileges, and cross-account trust chains. Use that effective access map before allowing any agent to touch production or destructive actions.
  • Move high-risk agent actions to runtime policy checks Require contextual authorisation for bulk deletes, exports, privilege changes, and cross-account operations. Evaluate time, volume, resource sensitivity, and behavioural drift at the moment of action.
  • Replace catalogue trust with continuous observability Instrument identity flows so security teams can see what a service principal, token, or agent can do right now. If the estate cannot show effective access in real time, the governance model is incomplete.
  • Separate approval from enforcement Keep human approval for policy design and exception handling, but do not rely on humans to click through every agent action. Build policies that enforce automatically when behaviour falls outside expected intent.

Key takeaways

  • AI agent access can be formally approved and still be materially unsafe when nested inheritance hides the true permission set.
  • The strongest evidence in this analysis is the gap between static governance and machine-speed execution, which makes delayed review ineffective.
  • Practitioners need effective access visibility and runtime authorisation if they want agent governance to hold under real operational conditions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent actions beyond intended scope map to agentic tool misuse and authorization drift.
OWASP Non-Human Identity Top 10NHI-03Hidden effective permissions and broad inherited access align with NHI privilege governance.
NIST CSF 2.0PR.AC-4Least-privilege access management is central to runtime control of agent identities.

Reconcile nested group entitlements and verify effective access before approving NHI use.


Key terms

  • Effective Permissions: The real access an identity has after inheritance, nesting, policy overlays, and cross-system mappings are applied. In practice, this can differ sharply from the role label or catalogue entry that was approved, which is why governance must verify what the identity can actually do.
  • Runtime Authorization: A decision process that evaluates whether an action should be allowed at the moment it is requested, using current context and risk signals. It is more suitable than static provisioning for AI agents and other non-human identities that can act continuously and at machine speed.
  • Authorization Fabric: An architectural layer that separates policy decision from policy enforcement so the same rules can govern many systems consistently. It is useful when cloud services, APIs, SaaS platforms, and AI agent frameworks all need the same identity control model.
  • Nested Group Inheritance: A permission pattern where membership in one group grants access through another group or role chain. It is common in directory-centric identity systems and becomes dangerous when teams lose sight of the effective access produced by the chain.

What's in the full article

Reva.AI's full analysis covers the operational detail this post intentionally leaves for the source:

  • The nested group and inheritance pattern behind the effective permission problem in cloud access.
  • The real-time authorisation model the article uses to contrast static approval with runtime control.
  • The AuthZEN information model and how subject, action, resource, and context fit together in practice.
  • Why human-in-the-loop approvals break down when agents operate at machine speed.

👉 Reva.AI's full post covers the nested group inheritance problem, AuthZEN context model, and runtime policy architecture.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org