By NHI Mgmt Group Editorial TeamPublished 2025-08-26Domain: Agentic AI & NHIsSource: Lakera

TL;DR: The rise of interconnected AI-to-AI systems expands the attack surface beyond human-to-machine workflows, with Gartner estimating that 80% of organisations will have deployed GenAI in production by 2026. The security model must shift from protecting prompts and users to governing agent capability, containment, traceability, and accountability before autonomous interactions scale beyond control.


At a glance

What this is: This article argues that the internet of agents will turn AI into a deeply interconnected operational layer, where security must govern what agents do, not just what they can access.

Why it matters: That matters because IAM, NHI, and emerging agent governance programmes will need controls that survive machine-to-machine delegation, expanding capability, and faster-than-human attack propagation.

By the numbers:

👉 Read Lakera's analysis of the internet of agents and AI security risk


Context

The internet of agents describes a shift from AI systems that assist humans to AI systems that increasingly negotiate, coordinate, and execute work with minimal human intervention. For identity security, the key issue is not intelligence in the abstract. It is the emergence of software actors that can cross tool boundaries, exchange context, and act across systems faster than existing review and approval models were built to handle.

That creates a direct governance problem for IAM, NHI, and lifecycle programmes. Human-era controls assume a stable operator, a stable request, and a review loop that can keep pace with access decisions. Agent-to-agent interaction breaks those assumptions by creating more dynamic delegation chains, more transient execution paths, and more opportunities for privilege to expand inside a session rather than across a traditional access lifecycle.


Key questions

Q: How should security teams govern AI agents that can hand work off to other agents?

A: Security teams should govern the full delegation chain, not only the first agent in the sequence. That means mapping where context enters, where it is reused, which tools are called, and where output can be forwarded. The key is to bound propagation and preserve attribution at every step, so downstream action remains visible and containable.

Q: Why do AI agents create a bigger security problem than ordinary automation?

A: AI agents create a bigger problem because they can interpret context, choose actions at runtime, and interact with tools in ways that are not fully predetermined. Ordinary automation follows a fixed path. Agentic behaviour can change the action path inside the session, which makes authorisation and containment harder to reason about.

Q: What breaks when access review processes are applied to agent networks?

A: Access review breaks when the actor’s useful privilege window is too short or too dynamic for human cadence to catch. Agents can acquire context, use tools, and pass work on before a review cycle even starts. That makes retrospective certification an incomplete control for runtime behaviour.

Q: What frameworks should teams use to evaluate AI agent identity risk?

A: Teams should align agent governance with OWASP Agentic AI guidance, NIST AI Risk Management Framework principles, and zero trust controls that limit trust propagation. The practical goal is to make agent activity attributable, bounded, and inspectable across tool use and delegation.


Technical breakdown

Internet of agents architecture and identity boundaries

The internet of agents is a networked model in which AI systems communicate with one another, call external tools, and pass tasks through delegation chains. That is materially different from a single assistant embedded in a chat interface. Once an agent can invoke APIs, retrieve data, and hand off work to another agent, the security unit is no longer just the model. It is the whole chain of context, credentials, and downstream action. Identity controls therefore need to account for who initiated the task, which systems the agent can touch, and how far context can propagate across steps.

Practical implication: define identity boundaries around the full delegation chain, not just the first agent that receives the prompt.

Why universal capability expands the attack surface

LLMs are different from prior automation because they can interpret natural language, generate outputs, and interact with tools in a single interface. That combination creates a universal capability layer, where a simple input can produce text, API calls, code execution, or further delegation. Security risk grows because the developer may not fully predict which capability will be used in runtime. In practice, that means the control problem shifts from static authorization at build time to runtime governance over what the agent can do with its available tools and context.

Practical implication: scope agent permissions around specific executable actions, not around broad tool access alone.

Containment, traceability, and accountability for agent interactions

As agent networks become more interconnected, a failure in one node can propagate rapidly through downstream systems. The article’s core technical point is that security posture must include containment, traceability, visibility, accountability, and actionability. Those are not abstract virtues. They are the minimum properties needed to understand what an agent did, why it did it, and how far the effect spread. Without them, a benign workflow can become an uncontrolled execution path with no practical way to reconstruct responsibility or limit blast radius after the fact.

Practical implication: instrument agent activity so every action is attributable, replayable, and bounded before it can propagate further.


Threat narrative

Attacker objective: The attacker aims to turn trusted agent connectivity into a scalable path for manipulation, exfiltration, or operational disruption across interconnected AI systems.

  1. entry: An attacker can reach agent workflows through ordinary text input, poisoned content, or a shared data source that the model is allowed to process.
  2. escalation: The agent’s broad capability set lets a harmless-looking request expand into tool use, API calls, or chained interactions that were not explicitly anticipated by the developer.
  3. impact: A compromised or manipulated node can propagate misleading context or harmful actions across the agent network, multiplying failure across downstream systems.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Agent governance now depends on controlling action, not just access: The article is right that agentic systems change the security problem, but the deeper shift is that access is no longer the decisive boundary. Once agents can interpret context, choose tools, and pass work onward, the meaningful unit becomes the action chain. That is where accountability, containment, and review must sit. Practitioners should treat agent workflows as governed execution paths, not as enlarged user sessions.

Universal interface is a permission problem disguised as a usability feature: Natural language is not just a user interface. It is a low-friction path into privileged systems, external services, and structured data. That makes the old assumption that “only technical users can drive high-risk behaviour” obsolete. The implication is that identity teams must re-evaluate how intent is expressed, validated, and bounded when language itself becomes an execution trigger.

Containment is the new least privilege for connected agents: In an agent network, over-broad connectivity matters as much as over-broad permission. The first weak link can propagate context, decisions, and side effects into systems that were never the original target. That is why containment must be designed as a runtime property, not a policy afterthought. Practitioners should think in terms of limiting propagation, not just limiting initial access.

The governance assumption that breaks is stable, human-paced review: Access review processes were designed for actors whose privileges persist long enough to be observed, certified, and removed on a human schedule. That assumption fails when an actor can request, use, and hand off capabilities inside one compressed operational window. The implication is not merely to add more reviews, but to recognise that the review model itself no longer matches the pace of execution.

Runtime agent behaviour creates an identity blast radius that IAM alone cannot see: Traditional identity stacks are strong at proving authentication and assigning entitlements, but weaker at describing how far a delegated action can travel once execution begins. That gap becomes more visible in AI-to-AI systems where one agent’s decision becomes another agent’s input. Practitioners should treat blast radius as a first-class governance metric across NHI and agentic programmes.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
  • That confidence gap is a signal to move from static entitlement thinking to runtime governance, as explored in Top 10 NHI Issues.

What this signals

Identity blast radius is the right concept for this shift: once agents can pass work and context between systems, the problem is not only whether an identity is authenticated, but how far its influence can travel. With only 1.5 out of 10 organisations highly confident in securing NHIs, according to The State of Non-Human Identity Security, the sector is still underestimating the pace at which machine-driven trust can spread.

Programmes that centre on human review cycles will need to adapt to machine-speed execution, especially where task handoff becomes the normal operating model. That creates pressure to align identity design with zero trust principles from NIST AI Risk Management Framework thinking and to treat delegation as a control surface rather than a convenience.

The next governance step is to separate policy intent from runtime behaviour. In practice that means measuring whether agent workflows can be traced, bounded, and halted before downstream propagation creates unreviewable side effects.


For practitioners

  • Map agent delegation chains end to end Inventory where an agent can receive context, call tools, delegate to another agent, and return results to humans or systems. Document the full chain so ownership, logging, and containment are attached to the complete workflow, not just the first model call.
  • Constrain runtime actions rather than broad model access Define the smallest executable actions an agent may perform, then separate read, write, and handoff permissions. Apply additional checks before any action that can alter data, trigger workflows, or expand into a new system boundary.
  • Add propagation limits to agent workflows Set explicit boundaries on how far an agent’s context, outputs, or delegated instructions can travel. Treat cross-system forwarding as a security control point, especially where downstream agents can inherit and amplify upstream trust.
  • Instrument traceability for every agent action Record which input triggered the action, which tools were called, what data was accessed, and what downstream system received the output. Make the log usable for incident review and behavioural analysis, not just compliance reporting.

Key takeaways

  • The internet of agents turns identity governance into an execution problem, because the risk is no longer just who can log in but what chained actions can occur after access is granted.
  • Interconnected AI systems expand blast radius quickly, so containment, traceability, and accountability become baseline controls rather than optional enhancements.
  • Teams should redesign governance for runtime delegation, because human-paced review models will not reliably capture agent behaviour once systems begin handing work to each other.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent-to-agent tool use and delegation map directly to agentic AI threat controls.
NIST AI RMFGovernance, traceability, and accountability are core AI RMF concerns for agent networks.
NIST Zero Trust (SP 800-207)PR.AC-4Least-privilege and continuous verification are needed when agent trust propagates across systems.

Treat agent delegation as zero trust traffic and verify each action before it crosses a boundary.


Key terms

  • Internet of Agents: A networked environment where AI systems communicate with one another, share context, and execute tasks across multiple tools or services. In security terms, the unit of governance is no longer a single assistant but the whole delegation chain and its downstream effects.
  • Agent Delegation Chain: The sequence of handoffs in which one agent passes context, decisions, or work to another system. The chain matters because each link can expand trust, multiply exposure, and make attribution harder unless logging and containment are designed across the entire path.
  • Identity Blast Radius: The maximum operational impact that can follow from a single identity, credential, or delegated action. For agentic systems, blast radius is not just access scope. It also includes how far context, outputs, and side effects can propagate before control is lost.
  • Runtime Governance: Controls that evaluate and constrain behaviour while a system is operating, rather than only at provisioning or design time. For agents, runtime governance is essential because intent, tool choice, and execution order can emerge after the session begins.

What's in the full article

Lakera's full article covers the conceptual and operational detail this post intentionally leaves for the source:

  • The article’s longer examples of how human assistants, coding agents, and business functions change as AI systems become more autonomous.
  • The discussion of why the internet of agents raises risk beyond traditional human-to-machine AI use cases.
  • The article’s explanation of containment, traceability, visibility, accountability, and actionability as the security baseline for interconnected agents.
  • The broader argument for building a secure foundation before agent networks scale further.

👉 Lakera's full article expands the examples and security design arguments behind interconnected agent risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org