By NHI Mgmt Group Editorial TeamPublished 2026-05-31Domain: AnnouncementsSource: Token Security

TL;DR: Thousands of likely AI identities in customer environments can be identified by a new tagging feature, including more than 2,800 at one large enterprise, by combining name heuristics, trust policy signals, and usage analysis, according to Token Security. The real issue is not visibility alone but the identity assumptions that fail when AI activity hides behind ordinary service accounts.


At a glance

What this is: This is Token Security’s analysis of shadow AI identity tagging, showing that AI-driven access often appears through ordinary non-human identities and can be surfaced through layered identity signals.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes need to distinguish AI-accessible identities from ordinary service accounts before those accounts become unmanaged access paths.

By the numbers:

👉 Read Token Security’s analysis of tagging identities with AI access


Context

Shadow AI is what happens when AI activity runs through identities that do not look like AI at all. Service accounts, roles, connected apps, API keys, and non-human users can all become execution paths for agentic behaviour, which means conventional IAM visibility can miss the real actor behind the access.

For IAM and NHI teams, the governance problem is not just discovery. It is deciding which identities should be treated as AI-accessible, how to separate ordinary machine access from agent-driven usage, and how to keep lifecycle controls aligned when the same identity can be reused across projects, tools, and environments.


Key questions

Q: How should security teams identify AI-accessible service accounts in enterprise environments?

A: Start by correlating identity metadata, trust policies, connected resources, and live usage logs. Service accounts that attach to AI tooling, expose AI-related trust paths, or appear in agent execution telemetry should be treated as AI-accessible identities, even if their names look ordinary. The goal is not to guess intent. It is to classify runtime behaviour with enough confidence to drive governance decisions.

Q: Why do ordinary service accounts become a shadow AI risk?

A: Because AI agents often operate through identities that already have read, call, or act permissions. If those identities were created for another purpose, the agent inherits a valid access path that may never be reviewed as AI-driven. That turns a standard machine account into an untracked control plane for agent behaviour, which is exactly where governance breaks down.

Q: How do teams decide whether an AI identity tag is reliable enough for action?

A: Use provenance to separate strong signals from weak ones. A trust policy, attachment link, or live usage pattern is more reliable than naming cues alone. If the tag came from configuration evidence, teams can move faster on review and containment. If it came from naming only, it should trigger investigation first, not automatic remediation.

Q: Who should own remediation when an identity is tagged as AI-accessible?

A: Ownership should sit with the team that controls the identity’s permissions and attached workload, not with the platform team alone. That usually means application owners, cloud platform owners, or security engineering jointly confirming whether the identity is still needed, over-scoped, or reusable across multiple AI workflows.


How it works in practice

How layered identity tagging detects shadow AI

Token Security’s approach combines semantic name detection, platform-specific configuration signals, and usage analysis. That matters because a simple keyword scan is too brittle to catch identities that have been repurposed for AI workflows without obvious naming conventions. The strongest signals come from control-plane evidence such as AWS trust policies, Vertex AI attachments, service principal metadata, OAuth callback settings, and other resource-to-identity links. The weaker signals, such as name patterns, still add coverage when configuration is ambiguous. The technical point is that AI access is often inferred from a chain of identity evidence rather than a single source of truth.

Practical implication: teams should correlate identity metadata, attachment data, and live usage logs before deciding whether an identity is AI-accessible.

Why ordinary non-human identities become AI control planes

AI actions do not happen in the abstract. They execute through identities that can read data, call services, and act on behalf of infrastructure. That makes a service account, connected app, or API key more than a credential object. It becomes a control plane for agent execution when linked to tool use or active directives. In practice, the same identity may appear benign to human reviewers while serving as the privileged conduit for model-driven actions. This is why inventory quality alone is not enough. Security teams need to understand which identities are attached to AI resources, which are being used in production, and which are merely configured for future use.

Practical implication: classify identities by actual AI linkage and usage, not by whether they look like standard service accounts.

Why durable AI access tags matter for response and governance

A durable tag such as AI_ACCESS turns a weak discovery problem into an actionable governance signal. Once an identity is tagged, teams can apply monitoring, least-privilege review, and lifecycle controls consistently across the estate. The key architectural value is persistence. The tag survives beyond a single detection event, which allows investigators to compare exposures across platforms and over time. But the tag is only as reliable as the evidence chain behind it, so confidence depends on whether the identity was linked by trust policy, attachment metadata, or only naming cues. That distinction should shape how quickly the identity is escalated and who owns it.

Practical implication: establish a tag-to-workflow model so discovery results immediately route into access review, monitoring, and owner assignment.


NHI Mgmt Group analysis

Shadow AI is really an identity classification failure, not just a discovery gap. Once AI behaviour is hidden inside service accounts, roles, connected apps, and API keys, the security question changes from "what is running?" to "which identities are acting as AI control planes?" That is a governance problem because standard inventories were built to describe ownership, not runtime behaviour. The practitioner conclusion is that AI-accessible identity must become its own classification state.

Durable tagging creates a new control layer, but only if the evidence behind it is explicit. A tag derived from trust policy, attachment metadata, or usage telemetry is materially different from one inferred from naming alone. That distinction matters because confidence should drive response priority, owner assignment, and review depth. The practitioner conclusion is that identity tags need provenance, not just labels.

AI_ACCESS is a named concept worth using because it captures the operational reality of hidden agent pathways. It describes identities that are not inherently AI identities but are used by AI agents in ways that change their risk profile. This is where non-human identity governance and agentic AI oversight meet. The practitioner conclusion is to treat AI-accessible identities as a distinct population in governance reporting.

Existing IAM assumes that machine identities are relatively stable and human-reviewable, but shadow AI breaks that assumption. Those controls were designed for identities whose purpose is known at provisioning time and whose behaviour is visible in logs. That assumption fails when the same account can be used by an agent, a workflow, and a developer without a clear boundary. The implication is that access governance has to account for behaviour, not just assignment.

The real market signal is that identity security is becoming the policy layer for AI control. As AI agents increasingly operate through normal enterprise identities, discovery and governance tools will be judged on whether they can explain why an identity is AI-accessible, not merely whether they can label it. Practitioners should expect AI identity classification to become part of standard NHI and IGA operations.

From our research:

What this signals

AI-accessible identity will become a standard governance category, not a niche detection label. Once organisations can see that service accounts, roles, and connected apps are being used by agents, the next question is who owns those identities and how quickly they can be reviewed. Practitioners should expect NHI inventories to split into ordinary machine identities and AI-accessible identities, with different review cadences and escalation paths.

Shadow AI creates a measurable access-quality problem, not just a visibility problem. The programme signal is whether your controls can explain why an identity is AI-linked and whether that explanation survives audit. The more of your environment looks like a shared identity estate, the more important it becomes to align with the Top 10 NHI Issues and the identity lifecycle guidance in the Ultimate Guide to NHIs.

Access provenance will matter more as AI estates grow. If tagging cannot distinguish configuration evidence from naming cues, operations teams will either miss real agent use or drown in false positives. Practitioners should prepare for agent inventories, identity telemetry, and lifecycle records to be managed as one joined control problem.


For practitioners

  • Classify AI-accessible identities separately Create a distinct inventory state for identities that are used by AI agents, even when they look like normal service accounts or connected apps. Use that state to drive higher review priority and tighter ownership rules.
  • Require evidence-backed tagging Only accept an AI access label when the system can cite trust policy, attachment metadata, OAuth configuration, or live usage evidence. Keep naming heuristics as supporting signals, not sole proof.
  • Correlate tags with runtime telemetry Pair identity tagging with sign-in logs, API calls, and agent inventory correlation so you can see whether the tagged identity is actually executing AI-driven actions in production.
  • Route tagged identities into lifecycle controls Use the tag to trigger owner confirmation, least-privilege review, and offboarding checks for identities that may be reused across projects, tools, or environments.

Key takeaways

  • Shadow AI is an identity governance problem because AI-driven actions often run through ordinary service accounts, roles, and connected apps.
  • The scale signal is already visible in real environments, where one enterprise surfaced more than 2,800 likely AI identities after tagging was introduced.
  • Practitioners should treat AI-accessible identities as a distinct governed population, with evidence-backed tagging, runtime telemetry, and lifecycle controls tied together.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Identity discovery and classification are central to shadow AI tagging.
NIST CSF 2.0PR.AC-4Least-privilege and access governance apply directly to AI-accessible machine identities.
OWASP Agentic AI Top 10A2Agent-to-tool identity pathways create misuse and privilege-abuse risk.

Inventory AI-accessible identities separately and tie each record to an accountable owner.


Key terms

  • Shadow AI: Unmanaged or undiscovered AI activity operating through enterprise identities that were not originally classified as AI identities. In practice, shadow AI often hides inside service accounts, connected apps, or API keys, making it an identity governance issue as much as an AI governance issue.
  • AI-accessible identity: A non-human identity that can be used by an AI agent to read data, call tools, or take actions in an environment. The identity may look ordinary in inventory, but its risk profile changes once it becomes part of an agent execution path.
  • Identity provenance: The evidence trail that explains why an identity was tagged, classified, or escalated. For AI-accessible identities, provenance includes configuration links, trust policies, usage logs, and metadata that show whether a label is based on strong evidence or weak naming cues.
  • Durable tagging: A persistent classification applied to an identity so it can be tracked across investigations, review cycles, and lifecycle events. Durable tags help security teams preserve context after discovery, but they only work well when the underlying evidence is captured and maintained.

What's in the full announcement

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • How the AI_ACCESS tag is derived from trust policies, Vertex attachments, and OAuth or app metadata
  • The platform-specific detection logic used across AWS, Google Cloud, Microsoft Entra ID, Salesforce, Okta, Snowflake, and Google Workspace
  • Examples of how the tag reason is exposed so teams can route identities into review and remediation workflows
  • What the vendor says about expanding coverage across more AI platforms and linking agent inventories to identity signals

👉 The full Token Security post covers the detection logic, platform coverage, and identity review workflow in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org