The authorization gap is widening across NHI and agentic AI

At a glance

What this is: This reference paper argues that the enterprise authorization gap is a structural control failure, not an authentication problem, and that NHI and agentic AI now expose it at runtime.

Why it matters: IAM practitioners need to treat authorization as a live control plane because human-era review cycles, role models, and entitlement snapshots do not govern machine-scale and agent-driven decisions.

By the numbers:

• Non-human identities now outnumber human identities by a wide and accelerating margin, commonly cited industry figures range from 45:1 to 92:1 with a weighted enterprise average around 82:1.

👉 Read EnforceAuth's analysis of the authorization gap in enterprise IAM

Context

Enterprise authorization is being asked to govern subjects that no longer behave like people. The primary keyword here is authorization gap, which describes the distance between authentication-first IAM models and the continuous decisions modern NHI and agentic AI systems require.

That gap widens because service accounts, tokens, workloads, and AI agents act at machine speed while policy and review cycles still operate at human speed. For practitioners, the issue is no longer whether access exists, but whether each runtime action is still authorized in its current context.

The paper is relevant to teams that already have mature identity controls, because maturity in human IAM does not automatically extend to non-human identities. The starting point described in the article is increasingly typical for large enterprises, not an edge case.

Key questions

Q: How should security teams govern authorization for NHI and AI agent requests?

A: Security teams should govern NHI and AI agent requests with per-request authorization, not only lifecycle reviews or static roles. That means evaluating current identity, request provenance, resource state, and data sensitivity before each action is allowed. The control point must sit in front of execution so the decision reflects present context, not yesterday’s entitlement.

Q: Why do non-human identities create more authorization risk than human accounts?

A: Non-human identities create more authorization risk because they operate at machine speed, appear and disappear continuously, and often carry permissions that outlive the original task. A role that looks reasonable at provisioning time can become excessive once the workload, tool chain, or agent context changes. The result is hidden overauthorization, not just credential sprawl.

Q: What breaks when access reviews are used as the main control for NHI governance?

A: Access reviews break down when they are treated as the primary control for NHI governance because they happen too slowly and see only snapshots. Many NHI actions occur between review cycles, and many identities are short-lived or ownerless by the time review starts. Reviews still matter, but they cannot substitute for live enforcement.

Q: What is the difference between authentication and authorization in modern IAM?

A: Authentication proves the subject is known. Authorization determines whether that subject may perform a specific action, on a specific resource, in a specific context, right now. Modern IAM fails when these are conflated, because a valid identity does not automatically mean a valid action. Continuous authorization is the missing control.

Technical breakdown

Why authentication no longer answers the authorization question

Authentication establishes that a subject is known. Authorization decides what that subject may do right now, against this resource, with this context, and on whose behalf. The article argues that enterprises have over-invested in the first question and underbuilt the second, leaving policy fragmented across IdPs, cloud IAM, databases, service meshes, and application code. When policy is scattered, no single system can answer who can do what with confidence. The result is stale decisions, hidden overprovisioning, and inconsistent enforcement across runtime surfaces.

Practical implication: move authorization decisions out of scattered app logic and into a coherent policy plane with live context.

Why NHI lifecycle controls do not close runtime access gaps

Non-human identities are created in code, pipelines, consoles, and orchestration systems, often with short lifetimes and unclear ownership. That makes traditional lifecycle discipline necessary but insufficient. The article’s core point is that provisioning and deprovisioning cannot keep pace with continuously appearing identities and rapid task changes. Lifecycle events are too coarse when the real risk occurs inside the session, not only at creation or revocation. That is why entitlement reviews alone do not describe actual runtime authority.

Practical implication: pair lifecycle governance with per-request authorization that evaluates live identity, data, and request provenance.

How policy-as-code supports continuous enforcement

Policy-as-code turns authorization into versioned logic that can be tested, deployed, and enforced through a separate decision point and enforcement point model. In the paper’s architecture, the PDP evaluates each request against current policy, context, and provenance, while the PEP blocks or allows the action at the edge. This is especially important for agentic AI and tool calls, where every invocation is an authorization event. Without this separation, policy becomes implicit, inconsistent, and impossible to audit at runtime.

Practical implication: require a decision architecture that can evaluate every request with current context before the action executes.

Threat narrative

Attacker objective: The attacker or misuse path is to make each individual authorization decision look valid while the overall chain produces unauthorized business impact.

1. Entry occurs when an AI agent, service account, or workflow gains legitimate access that is broader than the immediate task requires.
2. Escalation happens when the actor composes dynamic tool calls, chained permissions, or stale entitlements into actions no human review cycle was designed to catch.
3. Impact is unauthorized data movement, overbroad refunding, external exfiltration, or pipeline misuse that looks legitimate in isolation but is wrong in composition.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The authorization gap is a structural defect, not a tuning problem. Authentication-centric IAM was built for rare, human-paced access decisions, while the modern enterprise now runs on continuous machine and agent decisions. That mismatch means the issue is architectural, not procedural. Policy written for quarterly review cannot govern thousand-decision-per-minute execution. Practitioners should treat authorization as a first-class runtime control plane, not an afterthought.

Standing privilege is no longer a sufficient unit of governance for NHI or agents. The article shows that identities are now created in code, in pipelines, and on demand, then used in ways that outlive the original business context. Once access becomes task-bound and time-bound, static entitlements stop describing actual authority. Security teams should re-evaluate entitlement models that assume access remains stable long enough to be reviewed.

Policy drift across identity surfaces is becoming the hidden control failure. When roles, cloud permissions, database grants, ACLs, and application rules all answer access differently, the enterprise loses any authoritative source of truth for runtime authorization. The named concept here is the authorization gap, and it captures the broken handoff between identity proofing and action approval. Practitioners should consider that unmanaged policy surfaces now create risk even when individual systems appear correctly configured.

Agentic AI turns authorization from a periodic governance issue into a per-decision accountability problem. The article’s agent examples are important because they demonstrate that tools are selected dynamically, not pre-scripted. That means classic access review assumptions do not hold when the real decision happens inside a tool call or delegation chain. The implication is that governance must track provenance and intent at runtime, not simply who was granted a role.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, which means most teams still lack a reliable view of NHI ownership and exposure, according to Ultimate Guide to NHIs.
• Read the 52 NHI Breaches Analysis for the breach patterns that show why static entitlement review repeatedly fails in practice.

What this signals

The practical signal for security teams is that authorization must become a runtime capability rather than a quarterly governance exercise. As the article shows, once workloads and agents can initiate decisions continuously, the old assumption that access can be reviewed after the fact no longer holds. Teams should prepare for tighter policy coupling between identity, data, and execution context.

Authorization gap: this is the widening mismatch between who is authenticated and what is actually authorized at decision time. That gap will surface first in tool-call flows, delegated service identities, and policy sprawl across cloud and application layers. Security programmes should expect the operational burden to shift from entitlement cleanup to runtime decision accuracy.

With 97% of NHIs carrying excessive privileges in our research, the governance problem is not limited to agentic AI, it already exists across the machine identity estate. The next phase is to unify NHI controls, zero trust policy, and authorization telemetry so that runtime decisions can be reviewed, explained, and enforced consistently.

For practitioners

• Map authorization surfaces end to end Inventory where access decisions are made today across IdP, cloud IAM, Kubernetes, databases, application logic, and tool-call gateways. Identify where policy is duplicated, contradictory, or implicit so the team can see which runtime decisions lack a single authoritative control point.
• Enforce per-request policy checks for non-human actors Require every workload, service account, and agent request to pass through a decision point that uses live context, not only stored entitlements. Include request provenance, resource state, and data sensitivity in the evaluation so the decision reflects current conditions.
• Separate enforcement from application code Move the allow or deny decision into a dedicated PEP and keep policy versioned, testable, and observable. This reduces hidden logic in microservices and makes authorization outcomes auditable when access changes rapidly or is delegated through tools.
• Rebuild reviews around runtime authority Use access reviews to validate ownership and policy drift, but do not treat them as the main control for NHIs or agents. The higher-value check is whether the actor still has authority for the current task, current data, and current provenance before execution completes.

Key takeaways

• The article’s central claim is that enterprise security now suffers from an authorization gap, not simply an authentication gap.
• The scale problem is already visible in machine identity populations, policy sprawl, and runtime decision volume that human-era IAM was never built to handle.
• Practitioners need live, per-request authorization with provenance and enforcement separation, because static reviews cannot govern modern NHI and agentic behaviour.

Key terms

• Authorization Gap: The authorization gap is the distance between proving an identity and deciding what that identity may do at runtime. In practice, it appears when policy is fragmented, stale, or reviewed too slowly to govern machine-speed work. It is an architectural failure, not a single missing control.
• Policy Decision Point: A policy decision point is the service that evaluates a request against policy, context, and provenance before returning permit or deny. For non-human and agentic workloads, the PDP becomes the authoritative answer to what the subject may do right now, not the IdP or application logic.
• Policy Enforcement Point: A policy enforcement point is the control that blocks or allows the action after the decision is made. It sits in front of execution, such as an API gateway, proxy, or tool-call boundary, so the policy decision can be applied before damage occurs.
• Request Provenance: Request provenance is the chain of origin information that explains where a request came from and who or what initiated it. For NHI and agentic systems, provenance includes the originating user, tool chain, prompt, and delegation path, because those details shape authorization decisions.

Deepen your knowledge

The authorization gap and continuous policy enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern machine identities and agentic workflows with human-era controls, it is worth exploring.

This post draws on content published by EnforceAuth: The Authorization Gap and the future of enterprise identity. Read the original.