Zero standing privileges is the access model agentic AI needs

At a glance

What this is: This is Strata Identity's analysis of why agentic AI pilots stall in security review, with zero standing privileges positioned as the access model that prevents privilege drift.

Why it matters: It matters because IAM, PAM, and NHI teams must govern runtime-minted agent access differently from human roles or long-lived service accounts, or production approvals will keep failing.

👉 Read Strata Identity's analysis of zero standing privileges for agentic AI

Context

Privilege drift is the gap between access that was granted for convenience and access that still exists when the environment, workload, or business need has changed. In agentic AI systems, that drift builds quickly because service accounts get reused, OAuth scopes expand, and no one wants to revoke permissions that finally made the pilot work. For NHI governance, the question is not whether access can be added. It is whether access can be bounded at runtime.

Zero standing privileges changes the identity model by removing persistent access from the agent altogether. Instead of pre-provisioned roles, the system mints ephemeral tokens for a specific task, tool, and requester authority. That shifts control from periodic review to architectural constraint, which is why agentic identity governance now sits directly inside IAM, PAM, and NHI programme design. The core issue is not tooling complexity. It is whether your governance model can survive identities that exist only while the task runs.

Key questions

Q: What breaks when agent access is pre-provisioned instead of minted at runtime?

A: Pre-provisioned access turns dynamic agent behaviour into permanent privilege. The result is privilege drift, reused service accounts, ballooning OAuth scopes, and unclear accountability when security reviews ask who can do what and why. Runtime-minted access avoids that failure by limiting authority to the task being executed.

Q: Why do agentic systems make standing privileges riskier than in traditional IAM?

A: Agentic systems make standing privileges riskier because the agent’s intent is only known during execution, not at provisioning time. Static access models assume stable roles and slow change, which does not fit ephemeral, task-driven behaviour. That mismatch expands blast radius and breaks least-privilege assumptions.

Q: How do security teams know if zero standing privileges is actually working?

A: Look for credentials that are created only at runtime, scoped to a single task or tool, and removed automatically after completion. If the same access can be reused across workflows, environments, or long after the task ends, then standing privilege has returned and drift is still present.

Q: What should IAM and PAM teams do before approving an agent pilot?

A: They should verify that the pilot can operate without durable roles, reusable service accounts, or manually expanded OAuth scopes. If the design cannot prove access is bounded at the moment of use, the pilot is not ready for production review and the governance model still depends on static privilege.

Technical breakdown

Why privilege drift accelerates in agentic AI

Agentic systems break the assumptions behind static access because the identity does not behave like a human user or a conventional workload. The system may need different tools for different tasks, and it may reach those tools through MCP or other runtime integrations that were not known at provisioning time. If access is assigned up front, every guess becomes durable privilege. That is how broad roles, reused service accounts, and inflated OAuth scopes become the default instead of the exception. In this model, drift is not an operational mistake. It is the expected outcome of static authorisation applied to dynamic execution.

Practical implication: review where agent access is pre-provisioned and replace it with runtime authorisation boundaries.

How runtime-minted tokens enforce zero standing privileges

Runtime-minted access works by issuing ephemeral credentials only when a task is authorised, then scoping those credentials to the specific tool, action, and requesting authority. The security value is not just shorter lifetime. It is that the agent never accumulates a standing entitlement that can later be reused, inherited, or forgotten. This is the architectural difference between controlling access and merely auditing it afterward. In practice, the design should prevent agents from touching resources outside the token scope and should make expiration automatic once the task completes.

Practical implication: bind each agent action to ephemeral, task-scoped credentials that expire when the workflow ends.

Why an AI identity gateway becomes the enforcement point

A control plane between agents and resources is needed because distributed identity decisions inside each agent create inconsistent policy and fragmented review. An AI identity gateway centralises enforcement, downscopes credentials before the agent reaches a tool, and keeps the authorisation decision out of the agent itself. That matters because the agent should not be the entity deciding the scope of its own access. The architectural point is not just convenience. It is preventing standing privilege from reappearing through a side door when teams try to layer identity logic directly into the agent.

Practical implication: place a policy enforcement layer between agents and tools so access is downscoped before execution.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Zero standing privileges is the right control model because agentic identity has no stable access state to review. Static IAM assumes access persists long enough to be certified, recertified, or revoked on a human timescale. That assumption fails when agent access is minted at runtime and discarded at task completion. The implication is not simply tighter controls, but a different governance premise for non-human identity.

Privilege drift becomes a design property, not an exception, when teams pre-provision agent access. Agent-specific authority is unknown until execution begins, so broad roles and reused service accounts are guesses that harden into permanent access. This is exactly the sort of access expansion OWASP-NHI and zero trust models are meant to constrain, but agentic systems expose how easily convenience turns into durable blast radius. Practitioners should treat broad agent access as an architectural failure mode, not a tuning issue.

Runtime authorisation is the named concept this article sharpens: access must be created at the moment of use, not at onboarding. That principle changes the governance conversation from review cadence to access formation. It also aligns agentic identity with task-scoped accountability rather than identity persistence. The practical conclusion is that production readiness now depends on whether a programme can prove access bounded by execution, not by role assignment.

Security review fails when the organisation cannot answer who has access to what, and why, for an agent. That is not a documentation problem alone. It is a signal that the governance model still depends on static privilege and human lifecycle assumptions. The broader identity discipline now has to distinguish between access that is observable and access that only exists ephemerally at runtime.

Agentic systems expose the limit of traditional access reviews because review without persistence is not governance. If permissions are created for a single task and expire immediately, a periodic certification process sees too little, too late. That is the real governance shift here. Teams need to decide whether they are managing identities or managing transactions, because agentic access behaves much more like the latter.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader governance lens, see NHI Lifecycle Management Guide for how access, rotation, and offboarding should be tied together.

What this signals

Runtime authorisation will become the dividing line between agent pilots that pass review and those that stall. Teams that keep treating agent access like human role assignment will keep inheriting privilege drift, while those that shift to task-bound credentials will reduce review friction and make accountability visible. The practical signal is that identity teams should evaluate whether their control plane can enforce access at execution time, not just report on it later.

Zero standing privileges is now a governance requirement for autonomous-style execution, not an optimisation. Once access can be created and discarded within a single task, periodic certification alone cannot prove control. Readers should prepare their IAM and PAM programmes for runtime policy enforcement, especially where agent access intersects with OAuth sprawl and third-party integrations.

The broader pattern is that agent identity governance is converging with workload identity discipline. The same programme that manages service-account lifecycle, offboarding, and secret exposure now has to handle task-scoped agent access without letting convenience recreate standing privilege. For teams that already track cloud entitlements, this is the moment to extend that discipline to AI agents before the blast radius expands.

For practitioners

• Inventory every standing agent entitlement Map where agents, service accounts, and OAuth grants still persist across dev, test, and production. Focus on any access that exists because it was convenient during a pilot, then mark it for runtime replacement or removal.
• Move from pre-provisioned roles to task-scoped tokens Issue credentials only when a task is authorised, and bind them to the specific tool and requester authority. The goal is to eliminate broad reusable access that can survive beyond the approved action.
• Insert a policy enforcement gateway before tool access Place the authorisation decision between the agent and the resource so tokens are downscoped before any MCP server, API, or data source is reached. Keep the agent from deciding its own scope.
• Test drift in a sandbox before production review Use a controlled environment to compare standing access against runtime-minted access and show security reviewers the difference in blast radius. This makes the governance gap visible before the pilot reaches approval.

Key takeaways

• Agentic AI creates privilege drift by design when access is pre-provisioned instead of minted at runtime.
• The practical scale of the problem shows up in reused service accounts, expanded OAuth scopes, and security reviews that cannot certify who has access to what.
• Zero standing privileges is the control model that makes agent pilots governable because it removes durable access from the equation.

Key terms

• Privilege Drift: Privilege drift is the slow expansion of access beyond what was originally intended or reviewed. In agentic systems, it happens quickly because access is often granted to make a pilot work and then left in place, creating durable authority that no longer matches the task.
• Zero Standing Privileges: Zero standing privileges means an identity has no persistent access until a specific task requires it. For autonomous or agentic behaviour, the control matters because it removes durable rights from the identity model and forces access to exist only for the duration of the approved action.
• Runtime Authorisation: Runtime authorisation is the practice of deciding access at the moment an action is executed, not during onboarding or provisioning. It is especially relevant for agentic systems because intent, tool choice, and scope can change during execution, making static access assumptions unreliable.
• AI Identity Gateway: An AI identity gateway is a policy enforcement layer placed between agents and resources. It downscopes credentials, centralises access decisions, and prevents the agent from holding broad reusable privileges that would otherwise accumulate across tools and workflows.

Deepen your knowledge

Runtime-minted access and zero standing privileges are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing controls for agentic systems that cannot rely on stable roles, it is worth exploring.

This post draws on content published by Strata Identity: Zero standing privileges is the access model agentic AI needs. Read the original.