Zero trust for AI agents exposes the missing identity layer

At a glance

What this is: This analysis argues that zero trust for AI agents fails without runtime identity, task-scoped credentials, and policy enforcement at the access layer.

Why it matters: It matters because IAM, NHI, and emerging agentic governance programmes now need controls that can verify and constrain machine activity at runtime, not just at provisioning time.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Hush Security's analysis of zero trust for AI agents and runtime identity

Context

Zero trust for AI agents is about enforcing identity, access, and policy at runtime instead of trusting the system because it was configured correctly earlier. The problem in this article is the gap between that model and the reality of most enterprises, where cryptographic runtime identity for agents and non-human workloads is still missing.

The article is really about a governance mismatch: controls built for human-paced or static machine access are being asked to govern AI systems that invoke tools, maintain memory, and interact at machine speed. That shifts the problem from secret hygiene alone to runtime attribution, scoped access, and explicit enforcement at the access layer.

Key questions

Q: How should security teams govern AI agents that use tools and memory at runtime?

A: Treat AI agents as runtime identities with explicit access boundaries, not as scripts that can be trusted by design. Security teams should require unique identity, task-scoped credentials, and policy enforcement at the access layer so tool use is constrained before execution, not reviewed after the fact.

Q: Why do static secrets create outsized risk in AI agent environments?

A: Static secrets create outsized risk because they outlive the task, can be reused across sessions, and are easy to discover through code, pipelines, or model-assisted analysis. In AI agent environments, the same credential may unlock multiple tools and services, which turns one exposure into a broad identity blast radius.

Q: What breaks when access control depends on friction instead of runtime enforcement?

A: Friction-based controls break when an attacker can operate at machine speed and chain ordinary permissions into harmful outcomes. Rate limits, unusual ports, and delayed reviews may slow activity, but they do not stop a legitimate connection from being abused once the credential is already valid.

Q: Who is accountable when an AI agent misuses delegated access?

A: Accountability should remain with the team that granted the access and defined the policy boundaries, because the agent is operating inside a human-owned governance model. If telemetry cannot identify the specific workload or agent instance, the organisation has an attribution failure as well as an access failure.

Technical breakdown

Runtime identity for AI agents and non-human workloads

AI agents that call tools and access data need cryptographic identity that exists at runtime, not just a name in a directory. In practical terms, that means each agent instance should be verifiable in logs and access requests, with credentials tied to the exact workload and session. Static API keys, embedded secrets, and shared credentials fail this test because they cannot express who or what acted at a specific moment. Without runtime identity, incident reconstruction and access accountability both break down.

Practical implication: inventory every agent and workload identity that lacks runtime verification and treat it as an access-control defect, not a logging problem.

Short-lived credentials versus standing secret exposure

Short-lived credentials reduce blast radius, but they only work when issuance, scope, and expiry are enforced at the point of access. AI-driven systems are attractive targets because model-assisted discovery makes embedded secrets, lockfiles, and misconfigured pipelines easy to harvest. The article’s central point is that rotating a credential is not enough if the system still relies on a static trust model. Zero trust for agents requires that access be reissued for the task, then discarded immediately after use.

Practical implication: replace standing secrets with task-scoped issuance for the workloads carrying the highest blast radius first.

Least agency and access-layer policy enforcement

Least agency extends least privilege by constraining what each agent can do, how often it can do it, and which services it can reach. That is important because AI agents can chain legitimate tools into harmful sequences without ever touching a classic host-based indicator. Policy has to sit outside the agent, at the access layer, so the connection simply cannot happen unless it is explicitly authorised. That makes runtime policy the control, not the prompt or the agent’s internal instructions.

Practical implication: define allowlists for agent-to-service connections and block any tool path that is not explicitly authorised in policy.

Threat narrative

Attacker objective: The objective is to use legitimate non-human access paths to expand reach, conceal activity, and exfiltrate or manipulate data without tripping conventional perimeter controls.

1. Entry begins when an attacker finds static API keys or embedded credentials in code, lockfiles, or CI/CD paths that AI-assisted analysis can surface quickly.
2. Escalation follows when those credentials allow tool chaining, MCP redirection, or access to services beyond the original task boundary.
3. Impact occurs when legitimate credentials are used to copy data, reveal access credentials, or silently redirect outbound communications at scale.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static secrets are the wrong trust primitive for AI agents. The article’s central problem is not merely exposure, but the fact that static credentials assume a stable identity-to-action relationship. AI agents can select tools and execute tasks at runtime, which means the secret model is already behind the behaviour it is trying to govern. The implication is that access governance has to move from stored secrets to runtime identity and task-scoped authority.

Least privilege is insufficient when the actor can assemble its own execution path. The article shows that agents can combine ordinary tools into harmful sequences without violating any single permission boundary. That is a different failure mode from overprovisioning alone, because the risk sits in orchestration and path selection. The implication is that identity programmes must govern allowable action chains, not just entitlements.

Control-by-friction collapses under machine-speed adversaries. Rate limits, unusual ports, and delayed review steps may slow a human attacker, but they do not provide durable protection when decisions, tool calls, and follow-on actions happen faster than review cycles. This is where zero trust for AI agents becomes a runtime enforcement problem rather than a policy-document problem. The implication is that organisations should stop treating friction as a control substitute.

Runtime attribution is now a governance requirement, not a detection luxury. The article makes clear that without identity-linked telemetry, teams cannot reconstruct who or what accessed a service, what was used, or when it happened. That is especially important for AI-driven environments where multiple agent instances may act in parallel. The implication is that auditability must be designed into the access layer, not added after an incident.

Identity blast radius should replace generic access scope as the governing concept. In AI-agent environments, the practical question is no longer only what a workload can reach, but how far one compromised credential can propagate through tools, memory, and connected services. This reframes the programme around containment and traceability. The implication is that practitioners should prioritise blast-radius reduction over broad access normalisation.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which leaves most NHI programmes unable to prove what is active or exposed.
• For a deeper standards view, the Ultimate Guide to NHIs , Standards ties these issues to governance controls practitioners can map into current identity programmes.

What this signals

Identity blast radius: AI agent programmes now need to be measured by how far one credential can travel through connected tools, not just by whether a secret exists. With 92% of organisations exposing NHIs to third parties, per the Ultimate Guide to NHIs, the shared trust boundary is already too wide for static assumptions.

For practitioners, the next programme shift is toward runtime discovery, attribution, and policy enforcement that can keep pace with machine-speed access. That means the control set has to include visibility into shadow identities, explicit service-to-service authorisation, and incident telemetry that ties every action back to a specific runtime actor.

For practitioners

• Map every agent to a runtime identity Require a verifiable identity for each agent instance, workload, and service account so every access event can be attributed to a specific runtime actor.
• Replace standing secrets with task-scoped credentials Issue credentials only at the moment of access, scope them to the exact task, and expire them immediately after use to reduce the value of exposed secrets.
• Define explicit agent-to-service policies Block any connection that is not explicitly authorised at the access layer, including tool paths created by chained agent behaviour or MCP redirection.
• Prioritise the largest identity blast radius first Start with the workloads that can reach the most sensitive systems, then use runtime discovery to identify where hidden access paths and shadow identities still exist.

Key takeaways

• AI agent zero trust fails when the programme still assumes secrets and identities are stable enough to govern after the fact.
• The evidence points to a broad remediation gap, with exposed secrets and weak visibility leaving most organisations unable to constrain machine access reliably.
• Practitioners should move toward runtime identity, task-scoped credentials, and access-layer policy before agent deployments expand further.

Key terms

• Runtime identity: A runtime identity is a verifiable identity assigned to a workload, agent, or service at the moment it acts. It allows access decisions and audit logs to tie a specific action to a specific execution instance, which is essential when machine behaviour changes session by session.
• Least agency: Least agency is the principle of limiting what an AI agent can do, how often it can do it, and which services it can reach. It goes beyond least privilege by constraining the execution path itself, not just the permissions attached to the actor.
• Identity blast radius: Identity blast radius is the maximum damage a compromised credential or agent instance can cause across connected tools, services, and data. The concept helps practitioners evaluate not only whether access exists, but how far misuse can propagate before containment is possible.
• Task-scoped credential: A task-scoped credential is issued for one specific action or workload and expires after the task completes. It reduces exposure by preventing long-lived reuse, which is especially important when agents operate at runtime and should not retain standing access between sessions.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hush Security: Zero Trust for AI agents is the right framework for this moment. Read the original.