TL;DR: Shadow AI is spreading faster than security teams can inventory it, with one Fortune 500 example uncovering more than 6,000 agent-linked identities in two months, according to Token Security. The governance gap is no longer theoretical: agents behave like identities, not scripts, so discovery, lifecycle control, and evidence capture now define whether AI adoption remains manageable.
At a glance
What this is: This is a practitioner analysis of shadow AI as an identity governance problem, with the key finding that AI agents are proliferating as unmanaged identities inside the enterprise.
Why it matters: It matters because identity programmes built for human users or static service accounts do not automatically control agentic behaviour, lifecycle drift, or unreviewed access paths.
By the numbers:
- In one Fortune 500 company, a discovery process revealed over 6,000 agent-linked identities created in just two months.
👉 Read Token Security's analysis of shadow AI governance and AI agent identity risk
Context
Shadow AI is the unmanaged spread of AI agents, copilots, and orchestration services that enter an environment without security or IT visibility. In identity terms, the core problem is not simply unsanctioned software. It is the arrival of actors that can hold entitlements, touch data, and execute tasks without the same controls used for human users or traditional workloads.
That shift puts NHI governance, IAM, and lifecycle discipline in the same control plane. Once an AI system can act, chain actions, or persist beyond a single experiment, teams need inventory, ownership, entitlement review, and offboarding discipline that work across cloud, SaaS, and on-prem environments. The article’s starting point is typical of the market, not an outlier.
Key questions
Q: How should security teams govern AI agents that appear outside official approval processes?
A: Start by treating each AI agent as a managed identity subject, not as a tool instance. Inventory where it exists, who owns it, what data it can reach, and when it should be removed. Without that baseline, approval workflows cannot distinguish legitimate experimentation from unmanaged access growth, and lifecycle control becomes impossible to prove.
Q: Why do broad permissions become riskier as AI agent use scales?
A: Broad permissions become riskier because agents can act quickly, chain actions, and persist beyond the original experiment. A permission set that looks harmless in isolation can become a high-impact access path once multiple agents, data sources, and workflows are combined. The governing issue is accumulated privilege, not any single entitlement.
Q: What breaks when AI agents are never deprovisioned?
A: When agents are never deprovisioned, they become zombie identities that continue to consume resources and preserve access long after their business purpose ends. That creates audit gaps, entitlement drift, and unnecessary exposure. The failure is not only operational waste. It is the loss of a clear end state for non-human access.
Q: Who should be accountable for segregation of duties in agentic workflows?
A: Accountability should sit with the business owner and the identity team together, because agentic workflows can blur traditional control boundaries. If one agent can create work and another can approve it, the organisation still needs a human governance layer that can explain who authorised the chain, what was separated, and why.
Technical breakdown
Why shadow AI behaves like an identity problem
Shadow AI becomes an identity issue when the system can act in an environment rather than merely process a request. An AI agent can hold credentials, call tools, chain actions, and trigger other agents. That makes it closer to a non-human identity than a traditional application feature. The control challenge is not just software sprawl. It is identity sprawl with decision-making attached, which means access governance must account for runtime behavior, not just static provisioning.
Practical implication: treat every agentic system as an identity subject that must be inventoried, owned, and entitlement-scoped.
How excessive privileges turn experimentation into toxic combinations
Teams often grant broad access to reduce friction during testing, then leave those entitlements in place as the agent moves into production-like use. That creates toxic combinations, where one agent can read data, another can modify workflows, and neither is constrained by a narrow purpose. In NHI terms, the risk is not merely over-privilege. It is the accumulation of standing access across systems that were never designed to trust a self-directed actor.
Practical implication: review agent permissions as a combined access path, not as isolated single-system grants.
AI agent lifecycle management and segregation of duties
Agents are rarely deprovisioned with the same discipline applied to human joiners and leavers. That leaves zombie identities in place, which can continue to consume resources, access systems, and widen audit exposure. The article also raises segregation of duties concerns when one agent writes code and another reviews it without human oversight. Governance must therefore extend lifecycle and SoD principles to agent populations, not just to people and service accounts.
Practical implication: define agent ownership, expiry, and deprovisioning triggers, and require human oversight for conflicting control functions.
NHI Mgmt Group analysis
Shadow AI is the same governance problem as shadow IT, but the asset class has changed from applications to actors. Traditional shadow IT left teams with unseen software. Shadow AI leaves them with unseen identities that can act, persist, and expand access paths. That is a deeper governance failure because the subject of control is now an actor with privileges, not a passive tool. Practitioners should treat discovery as identity inventory, not application cataloguing.
Ephemeral experimentation does not justify permanent privilege. The article shows how teams grant broad access to reduce friction during AI trials, then struggle to pull those permissions back. That pattern creates standing privilege in an environment that moves faster than review cycles. The implication is that lifecycle assumptions built for stable service accounts are already under strain when agents are created ad hoc by developers and business teams.
AI agent lifecycle neglect is a named governance failure, not a housekeeping issue. Agents that are never deprovisioned become zombie identities, which means entitlement drift and audit exposure both grow over time. This is exactly where identity governance must stop treating non-human identities as one-off technical objects and start treating them as managed subjects with start, purpose, owner, and end state.
Segregation of duties now needs to cover agent-to-agent workflows as well as human workflows. The article’s example of one coding agent writing code and another reviewing it without oversight shows how control separation can collapse inside a machine-driven chain. That matters because SoD was designed for accountability boundaries, and those boundaries can disappear when agents coordinate faster than humans can intervene. Practitioners should re-evaluate whether their governance model can still prove independent review.
Identity blast radius: when agent adoption scales without visibility, the real risk is not the number of agents but the number of uncontrolled access paths they create. Once thousands of identities appear in weeks, the programme problem becomes containment, not inventory alone. That shifts identity governance from reactive cleanup to proactive boundary-setting across entitlements, logging, and deprovisioning.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Forward pivot: The same governance pattern shows up in Guide to the Secret Sprawl Challenge, where exposure starts long before teams can prove control over the identity or secret itself.
What this signals
Identity inventory will become the first test of AI governance maturity. The article shows that organisations are discovering agent-linked identities only after they have already spread across environments. For practitioners, that means discovery tools, ownership metadata, and deprovisioning triggers will matter as much as policy language.
Shadow AI is forcing IAM teams to govern behaviour, not just credentials. Once an AI system can chain actions or invoke other agents, entitlements become only one part of the control story. The stronger programme signal is whether teams can still explain why an agent exists, what it is allowed to do, and when it must stop.
Agentic lifecycle control is becoming an adjacent discipline to secrets management. The more teams allow autonomous access paths, the more they need to pair secret handling with clear lifecycle boundaries and evidence capture. That makes identity governance, IAM operations, and NHI oversight converge rather than stay siloed.
For practitioners
- Build an agent identity inventory Scan cloud, SaaS, and on-prem environments for agent-linked identities, then record owner, purpose, data access, and expiry criteria for each one.
- Separate experiment access from production access Give AI experiments narrow, temporary permissions and block the reuse of broad credentials when prototypes move toward production use.
- Enforce lifecycle offboarding for every agent Require a start date, documented purpose, human owner, and deprovisioning trigger so dormant agents do not become zombie identities.
- Review conflicting agent workflows for segregation of duties Identify cases where one agent creates, approves, or deploys work that another agent validates, then require human oversight for those control pairs.
Key takeaways
- Shadow AI turns hidden software sprawl into hidden identity sprawl, which is harder to govern because the objects now make decisions.
- Broad permissions, weak lifecycle control, and absent segregation of duties are the main failure patterns that let agent populations grow unchecked.
- Teams need discovery, ownership, expiry, and evidence capture for agent identities before the population becomes too large to reconcile.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | NHI-01 | Shadow AI discovery and agent inventory map to identity and tool-use risk. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Agent lifecycle neglect and standing privilege are core NHI control failures. |
| NIST CSF 2.0 | PR.AC-4 | The article centres on access governance, auditability, and entitlement control. |
Review non-human access paths for least privilege and require evidence for each entitlement.
Key terms
- Shadow AI: Shadow AI is the use of AI agents, copilots, or orchestration services that enter an environment without security and IT visibility. In governance terms, it creates unmanaged identity subjects that can hold access, touch data, and change state before the organisation has established ownership or lifecycle control.
- Agent-linked identity: An agent-linked identity is a non-human identity assigned to an AI system so it can authenticate, access tools, or act inside enterprise environments. The key control question is whether the identity is inventoried, owned, and scoped to a purpose that can be reviewed and retired cleanly.
- Toxic combination: A toxic combination is a set of permissions that looks acceptable individually but becomes dangerous when combined across systems, workflows, or agents. For AI agents, the danger grows when broad access, weak oversight, and persistent credentials line up in a way that expands the effective blast radius.
- Agent lifecycle management: Agent lifecycle management is the governance process for creating, owning, reviewing, and removing AI agent identities. The practice matters because autonomous or semi-autonomous systems can outlive the experiment that created them, leaving behind access that is hard to detect and harder to justify.
What's in the full article
Token Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor recommends scanning cloud, SaaS, and on-prem environments for agent-linked identities
- The governance committee model described by the vendor, including how requests are reviewed and risk thresholds are set
- The article's practical lifecycle checklist for start date, purpose, owner, and deprovisioning criteria
- The regulatory evidence trail the vendor says teams should prepare for EU AI Act and ISO 42001 alignment
👉 Token Security's full post covers discovery, lifecycle rules, and audit preparation for agentic AI
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org