By NHI Mgmt Group Editorial TeamDomain: Agentic AI & NHIsSource: P0 SecurityPublished July 13, 2026

TL;DR: Authentication, agent inventory, and logging do not answer the central question in agentic systems: whether a requester, through an agent, using a tool, should be allowed to act on a resource at that moment, according to P0 Security. The control boundary shifts to runtime authorization, where access must be scoped to the assembled chain of authority and revoked when the task ends.


At a glance

What this is: This is an analysis of why agentic systems need runtime authorization, not just authentication, because the security decision depends on the full chain of requester, agent, tool, and resource.

Why it matters: It matters because IAM, PAM, and NHI programmes that only model static permissions will miss how authority is assembled dynamically across human, service account, and agent-driven actions.

👉 Read P0 Security's analysis of why authentication is not enough for agents


Context

Agentic access is different from ordinary application access because the identity that starts a session is not always the identity that performs the action. In these flows, a human, workload, service account, or another agent can trigger execution, but the real authority emerges only when the agent, tool, and resource are combined at runtime.

That creates an identity governance gap for IAM and NHI teams. Authentication can confirm who started the flow, but it does not decide whether the resulting action should be allowed, whether scope was exceeded, or whether access should end when the task ends.


Key questions

Q: How should security teams authorise actions in agentic workflows?

A: Security teams should authorise the full action chain at runtime, not just the agent or the initiating identity. That means evaluating the requester, the agent, the tool being called, and the target resource together before the action is allowed. Static entitlements and sign-in checks alone do not answer whether the assembled authority is acceptable at that moment.

Q: Why do autonomous agents break traditional IAM assumptions?

A: Autonomous agents break traditional IAM assumptions because they do not wait for human review cycles, and they may select actions and tools at runtime. That means access can be acquired and used before a recertification process sees it. IAM built around stable identities and durable roles cannot fully capture that behaviour.

Q: How can organisations tell whether agentic access is actually governed?

A: Look for policy enforcement at the point of action, not only at onboarding or approval time. A governed environment can explain who or what initiated the action, which agent acted, what tool was used, what resource was touched, and why the action was allowed or blocked. If those questions cannot be answered together, governance is incomplete.

Q: Who is accountable when an AI agent uses delegated access incorrectly?

A: Accountability should follow the delegated authority chain, not stop at the agent label. The relevant owners are the teams responsible for the human identity, the service identity, the workflow, and the policy that allowed the action path. If those responsibilities are not explicit, incident review will be incomplete and remediation will focus on the wrong layer.


Technical breakdown

Why agentic authentication stops short of authorisation

Authentication proves that a requester initiated a session, but agentic systems separate initiation from execution. The requester may be a human, service account, workload, or another agent, and the action may be carried out by a different runtime identity with broader reach. That means the security question is not only who signed in, but who assembled authority in the moment. Traditional IAM models treat identity as stable across the session, while agentic systems can combine delegated intent, tool capability, and resource reach into a new effective privilege set. Practical implication: build policy checks that evaluate the requester, agent, tool, and resource together before action is allowed.

Practical implication: move decision-making from sign-in time to runtime authorization for agentic workflows.

How runtime authorization constrains the full chain of authority

Runtime authorization is the control layer that evaluates what an agent is about to do, not just what it was allowed to do at provisioning time. It should consider the requested action, the connected tool, the target resource, and the initiating actor behind the agent. This is especially important when an agent can call tools, spawn sub-agents, or interact with production systems. In those cases, the effective authority is assembled across multiple identities and systems, which makes static entitlements insufficient. Practical implication: enforce policy decisions at the point of action, with context from the requester, the agent, the tool, and the resource.

Practical implication: authorise each action at execution time, not only at approval or onboarding time.

Why audit logs are necessary but not enough

Logs can show that an event happened, but they often split the story across different systems. The requester may be recorded in one place, the agent in another, and the tool activity in a third. That fragmentation makes post-incident review incomplete because leadership cannot easily reconstruct the assembled authority that enabled the action. For agentic systems, auditability must answer who or what initiated the action, which agent acted, which tool was used, what resource was touched, and whether the action aligned with policy. Practical implication: design logging around the full authority chain, not around isolated system events.

Practical implication: correlate identity, tool, and resource telemetry so governance decisions are explainable after the fact.


NHI Mgmt Group analysis

Runtime authorization is the real control boundary for agentic access. Authentication tells you who started the session, but it does not tell you whether the resulting action should be allowed once the agent, tool, and resource are combined. That gap is why static IAM views fail to model agentic behaviour. The practitioner conclusion is straightforward: policy must evaluate the full chain of authority at the moment of action.

Blended identity for agents is emerging because authority is no longer single-threaded. A requester can be human, workload, service account, or another agent, and the execution path can include tools and downstream workflows that were never visible in the original request. That means the control problem is not just identity proofing, it is authority composition. Practitioners need to treat agentic access as a governed chain, not as a single principal.

JIT access loses value if it is not tied to the end of the task, not just the end of a login session. In agentic systems, access can be exercised through tooling long after the original requester has left the screen. That makes standing authority inside a workflow more dangerous than standing access on paper. The practitioner conclusion is to align entitlement duration with task completion, not with user convenience.

Fragmented logs create false confidence in agent oversight. An organisation can have a valid token, a visible agent, and a complete tool log and still be unable to prove whether the action should have been allowed. The missing piece is decision context, not more telemetry. Practitioners should assume audit trails are evidence, not governance.

OWASP Agentic Applications Top 10 and OWASP NHI Top 10 are converging for one reason: the attack surface is the authority chain. Agentic systems inherit NHI problems such as secrets exposure and privilege sprawl, but they also add runtime decision complexity. The implication is that identity security teams should stop separating agent control from NHI control in their operating model.

What this signals

Runtime authority will become the organising concept for agent governance. Teams that keep separating authentication from authorisation will miss how quickly agentic access can move across tools and systems. The practical shift is toward policy engines and telemetry models that evaluate the full chain of authority before an action completes.

For identity leaders, the near-term question is whether access reviews, JIT controls, and audit trails are still built around a human-paced session model. If they are, they will underfit agentic behaviour and overstate control maturity.

Blended identity for agents should be treated as an operating model change, not a feature request. Once requesters can be humans, workloads, service accounts, or other agents, the governance problem becomes cross-domain. That means IAM, PAM, and NHI teams need one control vocabulary for delegated actions and one audit path for proving why each action was allowed.


For practitioners

  • Evaluate authority at runtime Require policy checks to assess the requester, agent, tool, and resource together before an action executes, especially when the flow can reach production systems or customer data.
  • Tie JIT access to task completion Define access expiry around the completion of the workflow or task, not just the closure of a session, so agentic actions do not retain authority longer than intended.
  • Correlate identity and tool telemetry Join logs from the initiating principal, the agent runtime, and the tool layer into one audit path so reviewers can reconstruct who assembled the authority behind each action.
  • Review delegated workflows for hidden reach Map where an approved agent can trigger downstream systems, spawn sub-agents, or reach resources the requester could not touch directly, then constrain those paths explicitly.

Key takeaways

  • Agentic systems shift the control boundary from authentication to runtime authorization, because authority is assembled across requester, agent, tool, and resource.
  • Static IAM views and fragmented logs create false confidence unless they can explain the full chain of authority behind each action.
  • Practitioners should align policy, JIT expiry, and audit design to task completion and execution context, not only to sign-in events.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on runtime authorisation for agentic actions and tool use.
OWASP Non-Human Identity Top 10NHI-03NHI-03 aligns with delegated access and ephemeral credential governance for agents and tools.
NIST AI RMFGOVERNAccountability and oversight for agentic decision chains are governance concerns.
NIST Zero Trust (SP 800-207)Zero Trust fits the need to verify each action with context, not trust a session.
NIST CSF 2.0PR.AC-4Least privilege and access governance are central to the runtime control problem.

Apply NHI-03 to review delegated access, credential scope, and task-bound expiry for agentic workflows.


Key terms

  • Runtime Authorisation: Runtime authorisation is the practice of deciding access while a task is in progress, rather than only at provisioning time. It matters for NHIs because credentials and entitlements can change risk mid-session, especially when automation or AI agents interact with sensitive systems.
  • Authority chain: An authority chain is the path of permissions and delegation that explains how an action became possible. It includes the original identity, any service accounts or tokens involved, and any handoffs that changed who could act next.
  • Blended Identity For Agents: Blended identity for agents describes the practical reality that an agentic action may be triggered by one identity and executed through another. The governance challenge is to preserve accountability and policy enforcement across that handoff, especially when tools and downstream workflows expand the original request.
  • Task-bound Access: Task-bound access is a permission model that grants authority only for a specific, time-limited action and removes it when the task ends. It is a practical control for NHIs because it reduces standing privilege and limits how far a compromised workflow can move.

What's in the full article

P0 Security's full article covers the operational detail this post intentionally leaves for the source:

  • How requester, agent, tool, and resource relationships are evaluated in a runtime decision path
  • The practical difference between observing agent activity and authorising agentic access
  • Why fragmented logs make post-action review harder across identity and tooling systems
  • How teams should think about revoking access when an agent task ends

👉 The full P0 Security post expands on runtime authorization, delegated authority, and auditability for agentic systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org